GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-05 01:06:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST380815AS rev.4.ADA 74,51GB Running: xqo819fr.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kwliipob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 000000004a1b0460 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 000000004a1b0450 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 000000004a1b0370 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 000000004a1b0470 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffffd3104690} .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 000000004a1b03e0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 000000004a1b0320 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 000000004a1b03b0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 000000004a1b0390 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 000000004a1b02e0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 000000004a1b02d0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 000000004a1b0310 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 000000004a1b03c0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 000000004a1b03f0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffffd3104390} .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 000000004a1b0230 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 000000004a1b0480 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 000000004a1b03a0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 000000004a1b02f0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 000000004a1b0350 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 000000004a1b0290 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffffd3103d90} .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 000000004a1b02b0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 000000004a1b03d0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 000000004a1b0330 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 000000004a1b0410 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 000000004a1b0240 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 000000004a1b01e0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 000000004a1b0250 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 000000004a1b0490 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 000000004a1b04a0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 000000004a1b0300 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 000000004a1b0360 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 000000004a1b02a0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 000000004a1b02c0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 000000004a1b0380 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 000000004a1b0340 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 000000004a1b0440 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 000000004a1b0260 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 000000004a1b0270 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 000000004a1b0400 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 000000004a1b01f0 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 000000004a1b0210 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 000000004a1b0200 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 000000004a1b0420 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 000000004a1b0430 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 000000004a1b0220 .text C:\Windows\system32\csrss.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 000000004a1b0280 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 000000004a1b0460 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 000000004a1b0450 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 000000004a1b0370 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 000000004a1b0470 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffffd3104690} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 000000004a1b03e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 000000004a1b0320 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 000000004a1b03b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 000000004a1b0390 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 000000004a1b02e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 000000004a1b02d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 000000004a1b0310 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 000000004a1b03c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 000000004a1b03f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffffd3104390} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 000000004a1b0230 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 000000004a1b0480 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 000000004a1b03a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 000000004a1b02f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 000000004a1b0350 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 000000004a1b0290 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffffd3103d90} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 000000004a1b02b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 000000004a1b03d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 000000004a1b0330 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 000000004a1b0410 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 000000004a1b0240 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 000000004a1b01e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 000000004a1b0250 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 000000004a1b0490 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 000000004a1b04a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 000000004a1b0300 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 000000004a1b0360 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 000000004a1b02a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 000000004a1b02c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 000000004a1b0380 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 000000004a1b0340 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 000000004a1b0440 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 000000004a1b0260 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 000000004a1b0270 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 000000004a1b0400 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 000000004a1b01f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 000000004a1b0210 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 000000004a1b0200 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 000000004a1b0420 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 000000004a1b0430 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 000000004a1b0220 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 000000004a1b0280 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\services.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\lsass.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\lsm.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\winlogon.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\atiesrxx.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\atieclxx.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000000070450 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000000070370 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000000070470 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffff88fc4690} .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000000703f0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffff88fc4390} .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000000070480 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000000070290 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffff88fc3d90} .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000000070240 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000000070250 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000000070490 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000000070300 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000000070360 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000000070380 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000000070340 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000000070440 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000000070260 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000000070270 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000000070210 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000000070420 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000000070430 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000000070220 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffff88fc4690} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffff88fc4390} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffff88fc3d90} .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000000070280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\UI0Detect.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\svchost.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\Dwm.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\Explorer.EXE[2648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\taskhost.exe[2664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3008] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768c8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\wbem\unsecapp.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\system32\wbem\wmiprvse.exe[2100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000000070450 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffff88fc4690} .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000000703f0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffff88fc4390} .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000000070480 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000000070290 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffff88fc3d90} .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000000070240 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000000070490 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000000070440 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000000070260 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000000070270 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000000070210 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000000070420 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000000070430 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000000070220 .text C:\Windows\system32\SearchIndexer.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000000070280 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000000070450 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000000070370 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000000070470 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffff88fc4690} .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000000703f0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffff88fc4390} .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000000070480 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000000070290 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffff88fc3d90} .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000000070240 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000000070490 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000000070360 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000000070380 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000000070340 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000000070440 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000000070260 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000000070270 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000000070210 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000000070420 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000000070430 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000000070220 .text C:\Windows\system32\GWX\GWX.exe[3208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000000070280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 00000000001f0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 00000000001f0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 00000000001f0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 00000000001f0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0xffffffff89144690} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000001f03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 00000000001f0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000001f03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 00000000001f0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000001f02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000001f02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 00000000001f0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000001f03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000001f03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0xffffffff89144390} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 00000000001f0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 00000000001f0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000001f03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000001f02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 00000000001f0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 00000000001f0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0xffffffff89143d90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000001f02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000001f03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 00000000001f0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 00000000001f0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 00000000001f0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000001f01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 00000000001f0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 00000000001f0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000001f04a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 00000000001f0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 00000000001f0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000001f02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000001f02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 00000000001f0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 00000000001f0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 00000000001f0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 00000000001f0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 00000000001f0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 00000000001f0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000001f01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 00000000001f0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 00000000001f0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 00000000001f0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 00000000001f0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 00000000001f0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 00000000001f0280 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770abbe0 5 bytes JMP 0000000077210460 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000770abc30 5 bytes JMP 0000000077210450 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000770abd90 5 bytes JMP 0000000077210370 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770abde0 1 byte JMP 0000000077210470 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000770abde2 3 bytes {JMP 0x164690} .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770abdf0 5 bytes JMP 00000000772103e0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000770abea0 5 bytes JMP 0000000077210320 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770abed0 5 bytes JMP 00000000772103b0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770abef0 5 bytes JMP 0000000077210390 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000770abf30 5 bytes JMP 00000000772102e0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000770abfb0 5 bytes JMP 00000000772102d0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770abfd0 5 bytes JMP 0000000077210310 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770ac010 5 bytes JMP 00000000772103c0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000770ac060 1 byte JMP 00000000772103f0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread + 2 00000000770ac062 3 bytes {JMP 0x164390} .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770ac1c0 5 bytes JMP 0000000077210230 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000770ac380 5 bytes JMP 0000000077210480 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000770ac3b0 5 bytes JMP 00000000772103a0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000770ac490 5 bytes JMP 00000000772102f0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000770ac4a0 5 bytes JMP 0000000077210350 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000770ac500 1 byte JMP 0000000077210290 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 2 00000000770ac502 3 bytes {JMP 0x163d90} .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000770ac590 5 bytes JMP 00000000772102b0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000770ac5b0 5 bytes JMP 00000000772103d0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000770ac5c0 5 bytes JMP 0000000077210330 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000770ac630 5 bytes JMP 0000000077210410 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000770ac660 5 bytes JMP 0000000077210240 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000770ac920 5 bytes JMP 00000000772101e0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770ac9e0 5 bytes JMP 0000000077210250 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770aca10 5 bytes JMP 0000000077210490 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000770aca20 5 bytes JMP 00000000772104a0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000770aca50 5 bytes JMP 0000000077210300 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000770aca60 5 bytes JMP 0000000077210360 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770acac0 5 bytes JMP 00000000772102a0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770acb10 5 bytes JMP 00000000772102c0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000770acb40 5 bytes JMP 0000000077210380 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000770acb50 5 bytes JMP 0000000077210340 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000770ace40 5 bytes JMP 0000000077210440 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000770ad040 5 bytes JMP 0000000077210260 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000770ad050 5 bytes JMP 0000000077210270 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000770ad060 5 bytes JMP 0000000077210400 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000770ad220 5 bytes JMP 00000000772101f0 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000770ad230 5 bytes JMP 0000000077210210 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000770ad2a0 5 bytes JMP 0000000077210200 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000770ad300 5 bytes JMP 0000000077210420 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000770ad310 5 bytes JMP 0000000077210430 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000770ad320 5 bytes JMP 0000000077210220 .text C:\Windows\System32\svchost.exe[3476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000770ad400 5 bytes JMP 0000000077210280 ---- EOF - GMER 2.2 ----