GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-29 21:58:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T0L0-3 INTEL_SSDSC2CW060A rev.400i 55,90GB Running: ojbyxq0u.exe; Driver: C:\Users\Konrad\AppData\Local\Temp\fwkdapog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000049c60480 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000049c60470 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000049c60360 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000049c60490 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000049c603d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000049c60310 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000049c603a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000049c60380 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0xffffffffd2064490} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000049c602d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000049c602c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000049c60300 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000049c603b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000049c60440 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000049c603e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000049c60220 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000049c604a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000049c60390 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000049c602e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000049c60340 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000049c60280 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000049c602a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000049c603c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000049c60320 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000049c60410 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000049c60230 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000049c603f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000049c601d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000049c60240 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000049c604b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000049c604c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000049c602f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000049c60350 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000049c60290 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000049c602b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000049c60370 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000049c60330 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000049c60460 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000049c60420 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000049c60250 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000049c60260 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000049c60400 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000049c601e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000049c60200 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000049c601f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000049c60430 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000049c60450 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000049c60210 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000049c60270 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\lsass.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\System32\svchost.exe[1680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\system32\taskhost.exe[3232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0xffffffff88474490} .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\Dwm.exe[3368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000000070270 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bfbbe0 5 bytes JMP 0000000077d60480 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bfbc30 5 bytes JMP 0000000077d60470 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077bfbd90 5 bytes JMP 0000000077d60360 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bfbde0 5 bytes JMP 0000000077d60490 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bfbdf0 5 bytes JMP 0000000077d603d0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bfbea0 5 bytes JMP 0000000077d60310 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bfbed0 5 bytes JMP 0000000077d603a0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077bfbef0 1 byte JMP 0000000077d60380 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000077bfbef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bfbf30 5 bytes JMP 0000000077d602d0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bfbfb0 5 bytes JMP 0000000077d602c0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bfbfd0 5 bytes JMP 0000000077d60300 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bfc010 5 bytes JMP 0000000077d603b0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077bfc050 5 bytes JMP 0000000077d60440 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bfc060 5 bytes JMP 0000000077d603e0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bfc1c0 5 bytes JMP 0000000077d60220 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bfc380 5 bytes JMP 0000000077d604a0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bfc3b0 5 bytes JMP 0000000077d60390 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bfc490 5 bytes JMP 0000000077d602e0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bfc4a0 5 bytes JMP 0000000077d60340 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bfc500 5 bytes JMP 0000000077d60280 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bfc590 5 bytes JMP 0000000077d602a0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bfc5b0 5 bytes JMP 0000000077d603c0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bfc5c0 5 bytes JMP 0000000077d60320 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bfc630 5 bytes JMP 0000000077d60410 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bfc660 5 bytes JMP 0000000077d60230 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077bfc800 5 bytes JMP 0000000077d603f0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bfc920 5 bytes JMP 0000000077d601d0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bfc9e0 5 bytes JMP 0000000077d60240 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bfca10 5 bytes JMP 0000000077d604b0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bfca20 5 bytes JMP 0000000077d604c0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bfca50 5 bytes JMP 0000000077d602f0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bfca60 5 bytes JMP 0000000077d60350 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bfcac0 5 bytes JMP 0000000077d60290 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bfcb10 5 bytes JMP 0000000077d602b0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077bfcb40 5 bytes JMP 0000000077d60370 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bfcb50 5 bytes JMP 0000000077d60330 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bfce40 5 bytes JMP 0000000077d60460 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077bfcfa0 5 bytes JMP 0000000077d60420 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bfd040 5 bytes JMP 0000000077d60250 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bfd050 5 bytes JMP 0000000077d60260 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bfd060 5 bytes JMP 0000000077d60400 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bfd220 5 bytes JMP 0000000077d601e0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bfd230 5 bytes JMP 0000000077d60200 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bfd2a0 5 bytes JMP 0000000077d601f0 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bfd300 5 bytes JMP 0000000077d60430 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bfd310 5 bytes JMP 0000000077d60450 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bfd320 5 bytes JMP 0000000077d60210 .text C:\Windows\Explorer.EXE[3448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bfd400 5 bytes JMP 0000000077d60270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3648] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ee8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text D:\Steam\Steam.exe[776] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ee103d 5 bytes JMP 0000000070561eb0 .text D:\Steam\Steam.exe[776] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ee1072 5 bytes JMP 0000000070561da0 .text D:\Steam\Steam.exe[776] C:\Windows\SysWOW64\detoured.dll!Detoured + 3 0000000070631003 2 bytes [63, 70] .text D:\Steam\Steam.exe[776] C:\Windows\SysWOW64\detoured.dll!Detoured + 22 0000000070631016 2 bytes [63, 70] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef965741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef9655f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef9655674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef9655e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef9657f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef9656a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef9656ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef9657b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef9657ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef96578b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef9654fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef9655d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1264] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef9657584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [1016:1160] 000007fefaee331c Thread C:\Windows\System32\svchost.exe [1016:1352] 000007fefa7259a0 Thread C:\Windows\System32\svchost.exe [1016:2320] 000007fef86320c0 Thread C:\Windows\System32\svchost.exe [1016:2324] 000007fef86326a8 Thread C:\Windows\System32\svchost.exe [1016:2368] 000007fef86329dc Thread C:\Windows\System32\svchost.exe [1016:2372] 000007fef86329dc Thread C:\Windows\System32\svchost.exe [1016:2376] 000007fef86329dc Thread C:\Windows\System32\svchost.exe [1016:2380] 000007fef86329dc Thread C:\Windows\System32\svchost.exe [1016:4548] 000007fef9a489b8 Thread C:\Windows\system32\svchost.exe [376:4616] 000007fefadf4164 Thread C:\Windows\System32\spoolsv.exe [1484:3456] 000007fef71d10c8 Thread C:\Windows\System32\spoolsv.exe [1484:3480] 000007fef6ff6144 Thread C:\Windows\System32\spoolsv.exe [1484:3484] 000007fef6ce5fd0 Thread C:\Windows\System32\spoolsv.exe [1484:3488] 000007fef6cd3438 Thread C:\Windows\System32\spoolsv.exe [1484:3492] 000007fef6ce63ec Thread C:\Windows\System32\spoolsv.exe [1484:3508] 000007fef7305e5c Thread C:\Windows\System32\spoolsv.exe [1484:3532] 000007fef73b5060 Thread C:\Windows\system32\svchost.exe [1544:1824] 000007fef9d435c0 Thread C:\Windows\system32\svchost.exe [1544:2296] 000007fef9d45600 Thread C:\Windows\system32\svchost.exe [1544:2404] 000007fef8102940 Thread C:\Windows\system32\svchost.exe [1544:3348] 000007fef74d2888 Thread C:\Windows\Explorer.EXE [3448:3916] 000007fef6652154 Thread C:\Windows\Explorer.EXE [3448:3964] 000007fefbce6204 Thread C:\Windows\Explorer.EXE [3448:3212] 000007fefb712f9c Thread C:\Windows\Explorer.EXE [3448:1320] 000007fef1312118 Thread C:\Windows\Explorer.EXE [3448:1564] 000007fefb3c1010 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3440:3408] 000007fefc0e2b1c ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14735095745932280@SetupOperations ?????????????????????????????????&??????????????????????????????????????\??\C:\Program Files\AVAST Software\Avast???\??\C:\ProgramData\AVAST Software\Avast???????*?????????????????????\??\C:\Program Files?????????????|??????????Microsoft?????? ??6??????/?/?d?d?d???d??????V2.0|Action=Block|Dir=Out|App=C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|??????????????????????????????????? ???????n?????e????????????????????#??????????????????0\s????6?????????????????????do??????????????? ?????????????????????6???????? ?????????s???????????????????????N??????T??????????machine.inf_amd64_neutral_9e6bb86c3b39a3e9????????h????????????e??????V???????????????????R????????????n?????????.???z???????d??? f?????????????????NetCfgx.dll,NetPropPageProvider?????AMD Radeon HD 7800 Series???5eb00254-8c42-465d-b14f-d45cf84?????LegacyDriver?g??192.168.8.1 192.168.8.1????????????????????????? P???????.???????????????/?U?`?d?f?j?/????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14735095905462280@SetupOperations ?????k??28470 28476 28486 28496 28516 28560 28570 28608 28614 28630?}/???????????2??????????????Urz?dzenie zgodne ze standardem High Definition Audio???????????????????????? ?????????????????????0????????????????????? ???????????????????i?0????????????????????@usb.inf,%generic.mfg%;(Standardowy kontroler hosta USB)?8???????????s???????????7???????????1??as??? ?????????????????????0????????????????????? ?????????????????????0????????????????????Urz?dzenie wej?ciowe USB????????? ?????????????????????0?????????????????????????????????????u??? ???????????????????k?0????????????????????Urz?dzenie wej?ciowe USB????????????????? ?????????????????????0????????????&??????????????????????????????????????????????cpi(?????? ?????????????????????0????????????????????? ???????????????????l?0????????????????????HP Premium Digital Headset??????? ?????????????????????0????????????????????? ???????????????????l?0??????????????????????6?????????????????????????1???????????? ?????????????????????,????????????????????????????d?? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14735095745932280@SetupOperations ?????????????l???????????????&???????????????????????????????&???????????????????????????????&???????????????????????????????&??????????????????????????????m|?