GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-11 14:25:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-4 ST3500418AS rev.CC46 465,76GB Running: bbmv2kzw.exe; Driver: C:\Users\KUBSON~1.WIK\AppData\Local\Temp\uwlirpow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff960000b5bf4 8 bytes [C4, 10, 2C, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000e5900 7 bytes [80, 48, F3, FF, 01, 55, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e5908 3 bytes [C0, 06, 02] .text ... * 105 .text C:\Windows\System32\win32k.sys!EngQueryW32kCddInterface + 784 fffff960001ae120 6 bytes {JMP QWORD [RIP+0x66a8e]} .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 740 fffff9600021ca18 8 bytes [00, 29, 2C, 04, 80, F8, FF, ...] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\system32\lsass.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\System32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\system32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\system32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0xffffffff88e74490} .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000000070270 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\Explorer.EXE[1768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4052] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076dd8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000771fbbe0 5 bytes JMP 0000000077360480 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771fbc30 5 bytes JMP 0000000077360470 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 5 bytes JMP 0000000077360360 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000771fbde0 5 bytes JMP 0000000077360490 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000771fbdf0 5 bytes JMP 00000000773603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000771fbea0 5 bytes JMP 0000000077360310 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000771fbed0 5 bytes JMP 00000000773603a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000771fbef0 1 byte JMP 0000000077360380 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000771fbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771fbf30 5 bytes JMP 00000000773602d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000771fbfb0 5 bytes JMP 00000000773602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000771fbfd0 5 bytes JMP 0000000077360300 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000771fc010 5 bytes JMP 00000000773603b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000771fc050 5 bytes JMP 0000000077360440 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771fc060 5 bytes JMP 00000000773603e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000771fc1c0 5 bytes JMP 0000000077360220 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000771fc380 5 bytes JMP 00000000773604a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000771fc3b0 5 bytes JMP 0000000077360390 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000771fc490 5 bytes JMP 00000000773602e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000771fc4a0 5 bytes JMP 0000000077360340 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000771fc500 5 bytes JMP 0000000077360280 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000771fc590 5 bytes JMP 00000000773602a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000771fc5b0 5 bytes JMP 00000000773603c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000771fc5c0 5 bytes JMP 0000000077360320 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000771fc630 5 bytes JMP 0000000077360410 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000771fc660 5 bytes JMP 0000000077360230 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000771fc800 5 bytes JMP 00000000773603f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771fc920 5 bytes JMP 00000000773601d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000771fc9e0 5 bytes JMP 0000000077360240 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000771fca10 5 bytes JMP 00000000773604b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771fca20 5 bytes JMP 00000000773604c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771fca50 5 bytes JMP 00000000773602f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771fca60 5 bytes JMP 0000000077360350 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000771fcac0 5 bytes JMP 0000000077360290 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000771fcb10 5 bytes JMP 00000000773602b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 5 bytes JMP 0000000077360370 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771fcb50 5 bytes JMP 0000000077360330 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771fce40 5 bytes JMP 0000000077360460 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000771fcfa0 5 bytes JMP 0000000077360420 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771fd040 5 bytes JMP 0000000077360250 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771fd050 5 bytes JMP 0000000077360260 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771fd060 5 bytes JMP 0000000077360400 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771fd220 5 bytes JMP 00000000773601e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771fd230 5 bytes JMP 0000000077360200 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000771fd2a0 5 bytes JMP 00000000773601f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000771fd300 5 bytes JMP 0000000077360430 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000771fd310 5 bytes JMP 0000000077360450 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000771fd320 5 bytes JMP 0000000077360210 .text C:\Windows\system32\wbem\wmiprvse.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000771fd400 5 bytes JMP 0000000077360270 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[4984] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000076d82bdc 5 bytes JMP 0000000000318c60 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771d2170 5 bytes JMP 000000000027075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000771d5be0 5 bytes JMP 00000000002703a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000771fbdb0 14 bytes {MOV RAX, 0x7fef4e730f0; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1208] C:\Windows\system32\WS2_32.dll!connect 000007feff3242f0 5 bytes JMP 000007fe80000000 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1208] C:\Windows\system32\WS2_32.dll!WSAConnect 000007feff34e080 5 bytes JMP 000007fe8000001a .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000076dd3f1c 13 bytes JMP 000000005bafb670 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000076008e5e 5 bytes JMP 000000005bafb4e0 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000076010e0b 5 bytes JMP 000000005bafb340 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!SetFocus 0000000076012185 5 bytes JMP 000000005bafb420 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!SetActiveWindow 0000000076013218 5 bytes JMP 000000005bafb5b0 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!BringWindowToTop 0000000076017b4b 13 bytes JMP 000000005bafb0e0 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!SetForegroundWindow 000000007602f190 13 bytes JMP 000000005bafb020 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!SwitchToThisWindow 000000007604912c 13 bytes JMP 000000005bafb1a0 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\USER32.dll!ShowWindowAsync 0000000076067e5f 5 bytes JMP 000000005bafb260 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\ole32.dll!DoDragDrop 00000000768ea89f 13 bytes JMP 000000005bafaf60 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d41401 2 bytes JMP 76dfb263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d41419 2 bytes JMP 76dfb38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d41431 2 bytes JMP 76e790f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d4144a 2 bytes CALL 76dd48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d414dd 2 bytes JMP 76e789ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d414f5 2 bytes JMP 76e78bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d4150d 2 bytes JMP 76e788e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d41525 2 bytes JMP 76e78caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d4153d 2 bytes JMP 76defce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d41555 2 bytes JMP 76df6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d4156d 2 bytes JMP 76e791a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d41585 2 bytes JMP 76e78d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d4159d 2 bytes JMP 76e788a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d415b5 2 bytes JMP 76defd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d415cd 2 bytes JMP 76dfb324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d416b2 2 bytes JMP 76e7906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Origin\Origin.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d416bd 2 bytes JMP 76e78839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771d2170 5 bytes JMP 00000000001f075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000771d5be0 5 bytes JMP 00000000001f03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000771fbc00 7 bytes [48, B8, F0, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000771fbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000771fbd70 7 bytes [48, B8, 48, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000771fbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 7 bytes [48, B8, C4, BE, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000771fbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000771fbda0 7 bytes [48, B8, C4, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000771fbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000771fbdb0 7 bytes [48, B8, D0, BD, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000771fbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000771fbdd0 7 bytes [48, B8, 14, C0, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000771fbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000771fbe20 7 bytes [48, B8, 6C, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000771fbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000771fbe30 7 bytes [48, B8, 00, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000771fbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771fbe60 7 bytes [48, B8, 54, BE, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771fbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000771fbf00 7 bytes [48, B8, 9C, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000771fbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771fc080 7 bytes [48, B8, 18, BD, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000771fc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000771fcaf0 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f5ec6} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000771fcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 7 bytes [48, B8, 24, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771fcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000771fcc90 7 bytes [48, B8, B0, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000771fcc98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000771d2170 5 bytes JMP 000000000045075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000771d5be0 5 bytes JMP 00000000004503a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000771fbc00 7 bytes [48, B8, F0, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000771fbc08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000771fbd70 7 bytes [48, B8, 48, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000771fbd78 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000771fbd90 7 bytes [48, B8, C4, BE, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000771fbd98 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000771fbda0 7 bytes [48, B8, C4, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000771fbda8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000771fbdb0 7 bytes [48, B8, D0, BD, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000771fbdb8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000771fbdd0 7 bytes [48, B8, 14, C0, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000771fbdd8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000771fbe20 7 bytes [48, B8, 6C, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000771fbe28 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000771fbe30 7 bytes [48, B8, 00, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000771fbe38 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000771fbe60 7 bytes [48, B8, 54, BE, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000771fbe68 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000771fbf00 7 bytes [48, B8, 9C, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000771fbf08 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000771fc080 7 bytes [48, B8, 18, BD, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000771fc088 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000771fcaf0 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f5ec6} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000771fcaf8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771fcb40 7 bytes [48, B8, 24, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000771fcb48 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000771fcc90 7 bytes [48, B8, B0, BF, 5E, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000771fcc98 6 bytes {ADD [RAX], AL; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fedccdaef8] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedccda630] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedccdaee0] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fedccdb31c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6636] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedccdaed8] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenServiceW] [7fedccdaef8] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!CloseServiceHandle] [7fedccda630] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!OpenSCManagerW] [7fedccdaee0] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] @ C:\Windows\system32\dwrite.dll[ADVAPI32.dll!StartServiceW] [7fedccdb31c] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[7024] @ C:\Windows\system32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7fedccdaed8] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [1028:1184] 000007fefba7f2c0 Thread C:\Windows\System32\svchost.exe [1028:1204] 000007fefb9f6204 Thread C:\Windows\System32\svchost.exe [1028:1332] 000007fefaf32070 Thread C:\Windows\System32\svchost.exe [1028:1336] 000007fefae35428 Thread C:\Windows\System32\svchost.exe [1028:3120] 000007fef7b06b8c Thread C:\Windows\System32\svchost.exe [1028:3128] 000007fef7b01d88 Thread C:\Windows\System32\svchost.exe [1028:5144] 000007fef7cb5fd0 Thread C:\Windows\System32\svchost.exe [1028:5228] 000007fefecfc608 Thread C:\Windows\System32\svchost.exe [1060:3028] 000007fef78e20c0 Thread C:\Windows\System32\svchost.exe [1060:3032] 000007fef78e26a8 Thread C:\Windows\System32\svchost.exe [1060:3040] 000007fef78e29dc Thread C:\Windows\System32\svchost.exe [1060:3048] 000007fef78e29dc Thread C:\Windows\System32\svchost.exe [1060:3440] 000007fef73742c8 Thread C:\Windows\System32\svchost.exe [1060:3456] 000007fef7cb5fd0 Thread C:\Windows\System32\svchost.exe [1060:3460] 000007fef7cb63ec Thread C:\Windows\System32\svchost.exe [1060:6660] 000007feef5b89b8 Thread C:\Windows\System32\svchost.exe [1060:1352] 000007fef038a2b0 Thread C:\Windows\system32\svchost.exe [1104:468] 000007fef9775124 Thread C:\Windows\system32\svchost.exe [1104:7120] 000007fefb5e1ab0 Thread C:\Windows\system32\svchost.exe [1104:7052] 000007fefa724164 Thread C:\Windows\system32\svchost.exe [1248:3244] 000007fef6830ea8 Thread C:\Windows\system32\svchost.exe [1248:3252] 000007fef6829db0 Thread C:\Windows\system32\svchost.exe [1248:3308] 000007fef6831c94 Thread C:\Windows\system32\svchost.exe [1248:3328] 000007fef682aa10 Thread C:\Windows\system32\svchost.exe [1248:3480] 000007fefa23c2d4 Thread C:\Windows\system32\svchost.exe [1248:3504] 000007fefa23c2d4 Thread C:\Windows\system32\svchost.exe [1248:3492] 000007fefa23c2d4 Thread C:\Windows\system32\svchost.exe [1248:3488] 000007fefa23c2d4 Thread C:\Windows\system32\svchost.exe [1248:3496] 000007fef9775124 Thread C:\Windows\system32\svchost.exe [1248:5172] 000007fef73dd3c8 Thread C:\Windows\system32\svchost.exe [1248:5176] 000007fef73dd3c8 Thread C:\Windows\system32\svchost.exe [1248:5180] 000007fef73dd3c8 Thread C:\Windows\system32\svchost.exe [1248:5184] 000007fef73dd3c8 Thread C:\Windows\system32\svchost.exe [1248:5196] 000007feef430184 Thread C:\Windows\system32\svchost.exe [1248:5200] 000007feef42f9c8 Thread C:\Windows\system32\svchost.exe [1324:1368] 000007fefae0341c Thread C:\Windows\system32\svchost.exe [1324:1372] 000007fefae03a2c Thread C:\Windows\system32\svchost.exe [1324:1376] 000007fefae03768 Thread C:\Windows\system32\svchost.exe [1324:1380] 000007fefae05c20 Thread C:\Windows\system32\svchost.exe [1324:1704] 000007fefae03900 Thread C:\Windows\system32\svchost.exe [1324:2424] 000007fef97dbd70 Thread C:\Windows\system32\svchost.exe [1324:3424] 000007fef9775124 Thread C:\Windows\system32\svchost.exe [1324:5232] 000007fef6a95170 Thread C:\Windows\System32\spoolsv.exe [1616:2896] 000007fef7f010c8 Thread C:\Windows\System32\spoolsv.exe [1616:2904] 000007fef7ec6144 Thread C:\Windows\System32\spoolsv.exe [1616:2908] 000007fef7cb5fd0 Thread C:\Windows\System32\spoolsv.exe [1616:2912] 000007fef7ca3438 Thread C:\Windows\System32\spoolsv.exe [1616:2916] 000007fef7cb63ec Thread C:\Windows\System32\spoolsv.exe [1616:2924] 000007fef81b5e5c Thread C:\Windows\System32\spoolsv.exe [1616:2928] 000007fef81e5074 Thread C:\Windows\System32\spoolsv.exe [1616:3168] 000007fef8252288 Thread C:\Windows\System32\svchost.exe [2052:2236] 000007fef9aa0360 Thread C:\Windows\System32\svchost.exe [2052:2240] 000007fef9a7e460 Thread C:\Windows\System32\svchost.exe [2052:2244] 000007fef9a7e450 Thread C:\Windows\System32\svchost.exe [2052:2248] 000007fef9a45570 Thread C:\Windows\System32\svchost.exe [2052:2252] 000007fef9a7a130 Thread C:\Windows\System32\svchost.exe [2052:2256] 000007fef9a45560 Thread C:\Windows\System32\svchost.exe [2052:2260] 000007fef9ac82a0 Thread C:\Windows\System32\svchost.exe [1744:3556] 000007fef6949688 Thread C:\Windows\system32\svchost.exe [2632:2920] 000007feff4aa808 Thread C:\Windows\system32\svchost.exe [3380:3412] 000007fef6978470 Thread C:\Windows\system32\svchost.exe [3380:3416] 000007fef6982418 Thread C:\Windows\system32\svchost.exe [3380:4144] 000007fef7cb5fd0 Thread C:\Windows\system32\svchost.exe [3380:5108] 000007fef7cb63ec Thread C:\Windows\system32\svchost.exe [3380:6004] 000007feee64f130 Thread C:\Windows\system32\svchost.exe [3380:5336] 000007feee644734 Thread C:\Windows\system32\svchost.exe [3380:3148] 000007feee644734 Thread C:\Windows\system32\svchost.exe [3484:3064] 000007feff4aa808 Thread C:\Windows\system32\svchost.exe [3484:3784] 000007feff4aa808 Thread C:\Windows\system32\svchost.exe [3484:3788] 000000006cafb5fc Thread C:\Windows\system32\svchost.exe [3484:3664] 0000000070c51760 Thread C:\Windows\system32\svchost.exe [3484:3792] 000000006cb78b1c Thread C:\Windows\system32\svchost.exe [3484:632] 000000006cb7c740 Thread C:\Windows\system32\svchost.exe [3484:796] 000000006cb8498c Thread C:\Windows\system32\svchost.exe [3484:960] 000000006cba2234 Thread C:\Windows\system32\svchost.exe [3484:124] 000000006cb20398 Thread C:\Windows\system32\svchost.exe [3484:260] 000000006caf6394 Thread C:\Windows\system32\taskhost.exe [2648:1748] 000007fef4062740 Thread C:\Windows\system32\taskhost.exe [2648:3144] 000007fef4051f38 Thread C:\Windows\system32\taskhost.exe [2648:2708] 000007fefaba1010 Thread C:\Windows\system32\taskhost.exe [2648:1432] 000007fef6a95170 Thread C:\Windows\Explorer.EXE [1768:2672] 000007fef30a2154 Thread C:\Windows\Explorer.EXE [1768:4700] 000007fefb9f6204 Thread C:\Windows\Explorer.EXE [1768:4864] 000007fef0722118 Thread C:\Windows\Explorer.EXE [1768:5508] 000007fefaba1010 Thread C:\Windows\Explorer.EXE [1768:4132] 000007fefabaa850 Thread C:\Windows\WindowsMobile\wmdc.exe [2956:3080] 000000006ca93804 Thread C:\Windows\WindowsMobile\wmdc.exe [2956:1788] 000000006cab3368 Thread C:\Windows\servicing\TrustedInstaller.exe [3520:5916] 000007feff4aa808 ---- EOF - GMER 2.2 ----