GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-04 22:38:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-5 OCZ-VERTEX3 rev.2.25 55,90GB Running: md273dif.exe; Driver: G:\Local\Temp\pwdoqpob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000049790480 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000049790470 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000049790360 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000049790490 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 00000000497903d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000049790310 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 00000000497903a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000049790380 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 00000000497902d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 00000000497902c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0xffffffffd1de2490} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000049790300 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 00000000497903b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000049790440 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 00000000497903e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000049790220 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 00000000497904a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000049790390 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 00000000497902e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000049790340 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000049790280 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 00000000497902a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0xffffffffd1de1e90} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 00000000497903c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0xffffffffd1de1f90} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000049790320 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000049790410 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000049790230 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 00000000497903f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 00000000497901d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000049790240 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 00000000497904b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 00000000497904c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 00000000497902f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000049790350 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000049790290 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 00000000497902b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000049790370 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000049790330 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000049790460 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000049790420 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000049790250 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0xffffffffd1de1390} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000049790260 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0xffffffffd1de1390} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000049790400 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 00000000497901e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000049790200 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 00000000497901f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000049790430 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000049790450 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000049790210 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000049790270 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000049790480 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000049790470 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000049790360 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000049790490 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 00000000497903d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000049790310 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 00000000497903a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000049790380 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 00000000497902d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 00000000497902c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0xffffffffd1de2490} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000049790300 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 00000000497903b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000049790440 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 00000000497903e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000049790220 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 00000000497904a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000049790390 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 00000000497902e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000049790340 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000049790280 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 00000000497902a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0xffffffffd1de1e90} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 00000000497903c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0xffffffffd1de1f90} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000049790320 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000049790410 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000049790230 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 00000000497903f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 00000000497901d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000049790240 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 00000000497904b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 00000000497904c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 00000000497902f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000049790350 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000049790290 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 00000000497902b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000049790370 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000049790330 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000049790460 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000049790420 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000049790250 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0xffffffffd1de1390} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000049790260 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0xffffffffd1de1390} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000049790400 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 00000000497901e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000049790200 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 00000000497901f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000049790430 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000049790450 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000049790210 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000049790270 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\lsm.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0xffffffff886c2490} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0xffffffff886c1e90} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0xffffffff886c1f90} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0xffffffff886c1390} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0xffffffff886c1390} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\Explorer.EXE[1408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\taskhost.exe[1508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076b88781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0xffffffff886c2490} .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0xffffffff886c1e90} .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0xffffffff886c1f90} .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0xffffffff886c1390} .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0xffffffff886c1390} .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[2384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[2436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000077b10480 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000077b10470 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000077b10360 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000077b10490 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 0000000077b103d0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000077b10310 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 0000000077b103a0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000077b10380 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 0000000077b102d0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 0000000077b102c0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000077b10300 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 0000000077b103b0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000077b10440 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 0000000077b103e0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000077b10220 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 0000000077b104a0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000077b10390 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 0000000077b102e0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000077b10340 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000077b10280 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 0000000077b102a0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 0000000077b103c0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000077b10320 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000077b10410 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000077b10230 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 0000000077b103f0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 0000000077b101d0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000077b10240 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 0000000077b104b0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 0000000077b104c0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 0000000077b102f0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000077b10350 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000077b10290 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 0000000077b102b0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000077b10370 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000077b10330 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000077b10460 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000077b10420 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000077b10250 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000077b10260 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000077b10400 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 0000000077b101e0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000077b10200 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 0000000077b101f0 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000077b10430 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000077b10450 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000077b10210 .text C:\Windows\system32\svchost.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000077b10270 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779ada60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779adab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779adc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779adc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779adc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779add20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779add50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779add70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779addb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779ade30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000779ade32 3 bytes {JMP 0xffffffff886c2490} .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779ade50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779ade90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779aded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779adee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779ae040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779ae200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779ae230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779ae310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779ae320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779ae380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779ae410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000779ae412 3 bytes {JMP 0xffffffff886c1e90} .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779ae430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000779ae432 3 bytes {JMP 0xffffffff886c1f90} .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779ae440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779ae4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779ae4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779ae680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779ae7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779ae860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779ae890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779ae8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779ae8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779ae8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779ae940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779ae990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779ae9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779ae9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779aecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779aee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779aeec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000779aeec2 3 bytes {JMP 0xffffffff886c1390} .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779aeed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000779aeed2 3 bytes {JMP 0xffffffff886c1390} .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779aeee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779af0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779af0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779af120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779af180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779af190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779af1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\wbem\wmiprvse.exe[4240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779af280 5 bytes JMP 0000000000070270 ---- Threads - GMER 2.2 ---- Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3200] 0000000077b927c1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3216] 0000000077b7c557 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3256] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3260] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3264] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3268] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3272] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3276] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3280] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3284] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3288] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3292] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3296] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3300] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3304] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3372] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3376] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3416] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3420] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3424] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3428] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3432] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3436] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3440] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3444] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3452] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3456] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3460] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3464] 0000000077b927c1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3468] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3492] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3496] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3500] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3504] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3508] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3512] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3516] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3520] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:3524] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:4532] 00000000681f29e1 Thread C:\SQL 2008\MSSQL10.MSSQLSERVER\MSSQL\Binn\sqlservr.exe [3172:4536] 00000000681f29e1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14718878763512280@SetupOperations ???}it??????LegacyDriver??????B??????5?????????eSB???????????????h??????????????d???d???????Reusable ISATAP Interface {A625881F-F596-4073-9D47-8FFD85018148}??????N??????????????????????????????????????1???????\??? ???u???????????????????9???s???????d??????????Microsoft?????2????????????????e?????????????o???????c???????????d????????????*Po??czenie lokalne* 9????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????BTeredo Tunneling Pseudo-Interface????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14718878907832280@SetupOperations ?????????????????????=???????????????????e?????ecl??? ???????s???????t??? ???????:?????????????:?????????? ?&???????????????????????? ??????????????????????????????????????????????????????????????4.0.30319.0?v3???????p??????????m?????e?????????????????????????v???;??? ?????????????????????0????????????&?????????????????????????|????????g?????????????????(??????????????????StillImage???????? ??z????????????????X?????????????{70f98452-3c38-4271-8e76-6f444852ebc8}???????????&??????????????????? ?????????????????????.??????????????????????s??w???????????????????d??@nettun.inf,%6to4mp.displayname%;Karta Microsoft 6to4???????????????????LegacyDriver?d??????SeImpersonatePrivilege?SeBackupPrivilege?SeRestorePrivilege?SeDebugPrivilege?SeChangeNotifyPrivilege?SeSecurityPrivilege?SeShutdownPrivilege?SeIncreaseQuotaPrivilege?SeAssignPrimaryTokenPrivilege?????? ?????????????????????0????????>???????????????@usbstor.inf,%genericbulkonly.devicedesc%;Urz?dzenie pami?ci masowej USB????????????????????????disk?&??? ???????p???????r???????????}??????????{7b81bcfe-5bca-11e6-86fb-50e5495a743c}???????,?;?;?