GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-10 14:41:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-80JJ5T0 rev.01.01A01 298,09GB Running: rmq2tm48.exe; Driver: D:\Users\Miski\AppData\Local\Temp\uwddikow.sys ---- User code sections - GMER 2.2 ---- .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000049d70480 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000049d70470 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000049d70360 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000049d70490 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000049d703d0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000049d70310 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000049d703a0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000049d70380 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000049d702d0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000049d702c0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x35} .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000049d70300 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000049d703b0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000049d70440 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000049d703e0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000049d70220 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000049d704a0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000049d70390 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000049d702e0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000049d70340 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000049d70280 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000049d702a0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffffd233e590} .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000049d703c0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffffd233e690} .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000049d70320 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000049d70410 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000049d70230 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000049d703f0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000049d701d0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000049d70240 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000049d704b0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000049d704c0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000049d702f0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000049d70350 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000049d70290 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000049d702b0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000049d70370 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000049d70330 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000049d70460 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000049d70420 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000049d70250 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffffd233da90} .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000049d70260 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffffd233da90} .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000049d70400 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000049d701e0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000049d70200 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000049d701f0 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000049d70430 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000049d70450 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000049d70210 .text D:\Windows\system32\csrss.exe[416] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000049d70270 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000049d70480 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000049d70470 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000049d70360 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000049d70490 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000049d703d0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000049d70310 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000049d703a0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000049d70380 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000049d702d0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000049d702c0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x35} .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000049d70300 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000049d703b0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000049d70440 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000049d703e0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000049d70220 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000049d704a0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000049d70390 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000049d702e0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000049d70340 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000049d70280 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000049d702a0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffffd233e590} .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000049d703c0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffffd233e690} .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000049d70320 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000049d70410 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000049d70230 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000049d703f0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000049d701d0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000049d70240 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000049d704b0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000049d704c0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000049d702f0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000049d70350 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000049d70290 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000049d702b0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000049d70370 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000049d70330 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000049d70460 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000049d70420 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000049d70250 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffffd233da90} .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000049d70260 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffffd233da90} .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000049d70400 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000049d701e0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000049d70200 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000049d701f0 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000049d70430 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000049d70450 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000049d70210 .text D:\Windows\system32\csrss.exe[516] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000049d70270 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\lsass.exe[576] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\lsm.exe[584] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\svchost.exe[716] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\svchost.exe[836] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\System32\svchost.exe[900] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\System32\svchost.exe[972] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\svchost.exe[1000] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000000070480 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000000070470 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000000070360 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000000070490 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 00000000000703d0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000000070310 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 00000000000703a0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000000070380 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 00000000000702d0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 00000000000702c0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x65} .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000000070300 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 00000000000703b0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000000070440 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 00000000000703e0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000000070220 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 00000000000704a0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000000070390 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 00000000000702e0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000000070340 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000000070280 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 00000000000702a0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0xffffffff8863e590} .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 00000000000703c0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0xffffffff8863e690} .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000000070320 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000000070410 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000000070230 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 00000000000703f0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 00000000000701d0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000000070240 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 00000000000704b0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 00000000000704c0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 00000000000702f0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000000070350 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000000070290 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 00000000000702b0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000000070370 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000000070330 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000000070460 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000000070420 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000000070250 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0xffffffff8863da90} .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000000070260 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0xffffffff8863da90} .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000000070400 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 00000000000701e0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000000070200 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 00000000000701f0 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000000070430 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000000070450 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000000070210 .text D:\Windows\system32\svchost.exe[204] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000000070270 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\svchost.exe[1184] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\svchost.exe[1360] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\Dwm.exe[1372] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\Explorer.EXE[1396] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\AsScrPro.exe[1652] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077741465 2 bytes [74, 77] .text D:\Windows\AsScrPro.exe[1652] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777414bb 2 bytes [74, 77] .text ... * 2 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\taskhost.exe[1756] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\taskeng.exe[1204] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1496] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077741465 2 bytes [74, 77] .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1496] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777414bb 2 bytes [74, 77] .text ... * 2 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\taskeng.exe[1244] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a31360 5 bytes JMP 0000000077b90480 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077a313b0 5 bytes JMP 0000000077b90470 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a31510 5 bytes JMP 0000000077b90360 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a31560 5 bytes JMP 0000000077b90490 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a31570 5 bytes JMP 0000000077b903d0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a31620 5 bytes JMP 0000000077b90310 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a31650 5 bytes JMP 0000000077b903a0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a31670 5 bytes JMP 0000000077b90380 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a316b0 5 bytes JMP 0000000077b902d0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a31730 1 byte JMP 0000000077b902c0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077a31732 3 bytes {JMP 0x17} .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a31750 5 bytes JMP 0000000077b90300 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a31790 5 bytes JMP 0000000077b903b0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a317d0 5 bytes JMP 0000000077b90440 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a317e0 5 bytes JMP 0000000077b903e0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077a31940 5 bytes JMP 0000000077b90220 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a31b00 5 bytes JMP 0000000077b904a0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077a31b30 5 bytes JMP 0000000077b90390 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077a31c10 5 bytes JMP 0000000077b902e0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077a31c20 5 bytes JMP 0000000077b90340 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a31c80 5 bytes JMP 0000000077b90280 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a31d10 1 byte JMP 0000000077b902a0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077a31d12 3 bytes {JMP 0x15e590} .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a31d30 1 byte JMP 0000000077b903c0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077a31d32 3 bytes {JMP 0x15e690} .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077a31d40 5 bytes JMP 0000000077b90320 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a31db0 5 bytes JMP 0000000077b90410 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077a31de0 5 bytes JMP 0000000077b90230 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077a31f80 5 bytes JMP 0000000077b903f0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a320a0 5 bytes JMP 0000000077b901d0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077a32160 5 bytes JMP 0000000077b90240 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077a32190 5 bytes JMP 0000000077b904b0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077a321a0 5 bytes JMP 0000000077b904c0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077a321d0 5 bytes JMP 0000000077b902f0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077a321e0 5 bytes JMP 0000000077b90350 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a32240 5 bytes JMP 0000000077b90290 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a32290 5 bytes JMP 0000000077b902b0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a322c0 5 bytes JMP 0000000077b90370 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077a322d0 5 bytes JMP 0000000077b90330 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a325c0 5 bytes JMP 0000000077b90460 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077a32720 5 bytes JMP 0000000077b90420 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077a327c0 1 byte JMP 0000000077b90250 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077a327c2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077a327d0 1 byte JMP 0000000077b90260 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077a327d2 3 bytes {JMP 0x15da90} .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a327e0 5 bytes JMP 0000000077b90400 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a329a0 5 bytes JMP 0000000077b901e0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077a329b0 5 bytes JMP 0000000077b90200 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a32a20 5 bytes JMP 0000000077b901f0 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a32a80 5 bytes JMP 0000000077b90430 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a32a90 5 bytes JMP 0000000077b90450 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a32aa0 5 bytes JMP 0000000077b90210 .text D:\Windows\system32\taskeng.exe[1852] D:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a32b80 5 bytes JMP 0000000077b90270 .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2652] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077741465 2 bytes [74, 77] .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[2652] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777414bb 2 bytes [74, 77] .text ... * 2 .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2992] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077741465 2 bytes [74, 77] .text D:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[2992] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777414bb 2 bytes [74, 77] .text ... * 2 .text D:\Program Files (x86)\Vivid WorkshopData ATI\jre\bin\java.exe[3000] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077741465 2 bytes [74, 77] .text D:\Program Files (x86)\Vivid WorkshopData ATI\jre\bin\java.exe[3000] D:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000777414bb 2 bytes [74, 77] .text ... * 2 .text D:\Program Files\AVAST Software\Avast\avastui.exe[4080] D:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075988791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- EOF - GMER 2.2 ----