GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-16 20:40:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e ST950032 rev.0002 465,76GB Running: gmer.exe; Driver: C:\Users\NIIESM~1\AppData\Local\Temp\kxddqaow.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000165d40 8 bytes [44, CF, CF, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000195b00 7 bytes [40, 48, F3, FF, 01, 56, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000195b08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 000000004a3a0480 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 000000004a3a0470 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 000000004a3a0360 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 000000004a3a0490 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 000000004a3a03d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 000000004a3a0310 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 000000004a3a03a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 000000004a3a0380 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0xffffffffd2df4490} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 000000004a3a02d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 000000004a3a02c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 000000004a3a0300 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 000000004a3a03b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 000000004a3a0440 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 000000004a3a03e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 000000004a3a0220 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 000000004a3a04a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 000000004a3a0390 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 000000004a3a02e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 000000004a3a0340 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 000000004a3a0280 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 000000004a3a02a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 000000004a3a03c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 000000004a3a0320 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 000000004a3a0410 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 000000004a3a0230 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 000000004a3a03f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 000000004a3a01d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 000000004a3a0240 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 000000004a3a04b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 000000004a3a04c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 000000004a3a02f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 000000004a3a0350 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 000000004a3a0290 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 000000004a3a02b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 000000004a3a0370 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 000000004a3a0330 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 000000004a3a0460 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 000000004a3a0420 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 000000004a3a0250 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 000000004a3a0260 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 000000004a3a0400 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 000000004a3a01e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 000000004a3a0200 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 000000004a3a01f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 000000004a3a0430 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 000000004a3a0450 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 000000004a3a0210 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 000000004a3a0270 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 000000004a3a0480 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 000000004a3a0470 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 000000004a3a0360 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 000000004a3a0490 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 000000004a3a03d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 000000004a3a0310 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 000000004a3a03a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 000000004a3a0380 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0xffffffffd2df4490} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 000000004a3a02d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 000000004a3a02c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 000000004a3a0300 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 000000004a3a03b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 000000004a3a0440 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 000000004a3a03e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 000000004a3a0220 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 000000004a3a04a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 000000004a3a0390 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 000000004a3a02e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 000000004a3a0340 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 000000004a3a0280 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 000000004a3a02a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 000000004a3a03c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 000000004a3a0320 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 000000004a3a0410 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 000000004a3a0230 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 000000004a3a03f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 000000004a3a01d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 000000004a3a0240 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 000000004a3a04b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 000000004a3a04c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 000000004a3a02f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 000000004a3a0350 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 000000004a3a0290 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 000000004a3a02b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 000000004a3a0370 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 000000004a3a0330 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 000000004a3a0460 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 000000004a3a0420 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 000000004a3a0250 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 000000004a3a0260 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 000000004a3a0400 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 000000004a3a01e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 000000004a3a0200 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 000000004a3a01f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 000000004a3a0430 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 000000004a3a0450 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 000000004a3a0210 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 000000004a3a0270 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\lsass.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0xffffffff88ac4490} .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\taskhost.exe[1744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\Dwm.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\Explorer.EXE[1868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2580] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076b38769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0xffffffff88ac4490} .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[2928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\svchost.exe[3204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\system32\wbem\wmiprvse.exe[3684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775abbe0 5 bytes JMP 0000000077710480 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000775abc30 5 bytes JMP 0000000077710470 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000775abd90 5 bytes JMP 0000000077710360 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775abde0 5 bytes JMP 0000000077710490 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775abdf0 5 bytes JMP 00000000777103d0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000775abea0 5 bytes JMP 0000000077710310 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775abed0 5 bytes JMP 00000000777103a0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775abef0 1 byte JMP 0000000077710380 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000775abef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000775abf30 5 bytes JMP 00000000777102d0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000775abfb0 5 bytes JMP 00000000777102c0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775abfd0 5 bytes JMP 0000000077710300 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775ac010 5 bytes JMP 00000000777103b0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000775ac050 5 bytes JMP 0000000077710440 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000775ac060 5 bytes JMP 00000000777103e0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775ac1c0 5 bytes JMP 0000000077710220 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000775ac380 5 bytes JMP 00000000777104a0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000775ac3b0 5 bytes JMP 0000000077710390 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000775ac490 5 bytes JMP 00000000777102e0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000775ac4a0 5 bytes JMP 0000000077710340 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000775ac500 5 bytes JMP 0000000077710280 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000775ac590 5 bytes JMP 00000000777102a0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000775ac5b0 5 bytes JMP 00000000777103c0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000775ac5c0 5 bytes JMP 0000000077710320 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000775ac630 5 bytes JMP 0000000077710410 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000775ac660 5 bytes JMP 0000000077710230 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000775ac800 5 bytes JMP 00000000777103f0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000775ac920 5 bytes JMP 00000000777101d0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775ac9e0 5 bytes JMP 0000000077710240 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775aca10 5 bytes JMP 00000000777104b0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000775aca20 5 bytes JMP 00000000777104c0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000775aca50 5 bytes JMP 00000000777102f0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000775aca60 5 bytes JMP 0000000077710350 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775acac0 5 bytes JMP 0000000077710290 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775acb10 5 bytes JMP 00000000777102b0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000775acb40 5 bytes JMP 0000000077710370 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000775acb50 5 bytes JMP 0000000077710330 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000775ace40 5 bytes JMP 0000000077710460 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000775acfa0 5 bytes JMP 0000000077710420 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000775ad040 5 bytes JMP 0000000077710250 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000775ad050 5 bytes JMP 0000000077710260 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000775ad060 5 bytes JMP 0000000077710400 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000775ad220 5 bytes JMP 00000000777101e0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000775ad230 5 bytes JMP 0000000077710200 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000775ad2a0 5 bytes JMP 00000000777101f0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000775ad300 5 bytes JMP 0000000077710430 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000775ad310 5 bytes JMP 0000000077710450 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000775ad320 5 bytes JMP 0000000077710210 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000775ad400 5 bytes JMP 0000000077710270 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001010e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001010c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001011614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001011a10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800101186c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\aydxb1ek \Device\Scsi\aydxb1ek1 fffffa8004c5a2c0 Device \FileSystem\Ntfs \Ntfs fffffa80036b92c0 Device \FileSystem\fastfat \Fat fffffa80047f82c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{662EB87E-0D96-4F65-A622-54F328EA8B6B} fffffa80049672c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8004a1d2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004a1d2c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa80036b52c0 Device \Driver\cdrom \Device\CdRom0 fffffa80048562c0 Device \Driver\nvstor64 \Device\0000006f fffffa80036b52c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8004a132c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004a132c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004cbb2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8004a1d2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004a1d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049672c0 Device \Driver\nvstor64 \Device\ScsiPort0 fffffa80036b52c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8004a132c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2DE4FBF5-845B-4EB7-B9A1-8BB24B9E1608} fffffa80049672c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004a132c0 Device \Driver\aydxb1ek \Device\ScsiPort1 fffffa8004c5a2c0 Device \Driver\nvstor64 \Device\0000006e fffffa80036b52c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80036b52c0]<< sptd.sys storport.sys hal.dll nvstor64.sys fffffa80036b52c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800463e060] fffffa800463e060 Trace 3 CLASSPNP.SYS[fffff88001b4043f] -> nt!IofCallDriver -> [0xfffffa8004818e40] fffffa8004818e40 Trace 5 ACPI.sys[fffff880011377a1] -> nt!IofCallDriver -> \Device\0000006e[0xfffffa80044e3060] fffffa80044e3060 Trace \Driver\nvstor64[0xfffffa80044dae70] -> IRP_MJ_CREATE -> 0xfffffa80036b52c0 fffffa80036b52c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\aydxb1ek.SYS fffff88004a00000-fffff88004a51000 (331776 bytes) ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14750883606252280@SetupOperations ????????????????{6bdd1fc6-810f-11d0-bec7-08002be2092f}\0002?nt??@usbprint.inf,%msft%;Microsoft?-?&??{36fc9e60-c465-11cf-8056-444553540000}\0024??????e?f?k?j?k?k?k?k?k?k?k?k?m???????????a?????????tl:??????????????????DiskDrive????????????I??????&P??disk.inf??????V??????????????d????H??????????????????????)???'???)?????????????????s????????????????????????@input.inf,%stdmfg%;(Standardowe urz?dzenia systemowe)???????i?j?k?m?m?j?n?j???j?k????N??????F?????D_4???????????e??????@wdma_usb.inf,%usb\class_01.devicedesc%;Urz?dzenie audio USB????@input.inf,%hid.devicedesc%;Urz?dzenie wej?ciowe USB?s???????????????????????????a???????????????s??W6??gendisk??????$???????o??????????????????of??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ???????????HJ???????????k???????k???k???k???????????????????????k???????k???????Q???????k?????????????????????????? ??????????????????? ??????????? ?????????????????? ?????????????????????0????????????????????? ????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14750886143142280@SetupOperations ????????BTHMODEM?????????i???????????????s??????????????????????????????t???????s????s?s?s?s?s???!???s???D????????????????gys???????????????s???? ???i??????????????winhttp.dll?????????e???????????????????????? ???????s???????????s????????,????? ???????????????????????????????????????d???????????????e????????s??????????????????KeyboardClass???????????????????????????????????????????????????? ???????n?????s????????????????X??????????????????????????????????????????????s????system32\drivers\MSPQM.sys????????T????????????e?????????????????????????????????????????s???????????????s???s???s??? ???s???7????? 15????X??z?????????e??????>????????g?????????????????????s??????????????t???6&2290901f&0?????s??????????????\SystemRoot\system32\DRIVERS\megasas.sys?e???j?j?j?j?j?s?s??255.0.0.0???? ???????s???????????s?????????????? ???????????? ??????????????????? ???????n?????s?????s??????????@?????????????"??s?????????e????@keyiso.dll,-100??????@??s????????h?????%SystemRoot%\system32\lsass.exe???????"??s?????????n????@keyiso Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@0022982ef1a2 0x1F 0xC3 0xC0 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\111111111111@d051629baad8 0xF9 0xA4 0x39 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14750883606252280@SetupOperations ????ob??????er??????????????????????????????????????\\?\STORAGE#Volume#_??_USBSTOR#Disk&Ven_Sony_Eri&Prod_Memory_Stick&Rev____0#3587900224235310&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}????%SystemRoot%\system32\wpdshext.dll,-701??X??????input.inf???wpdfs.inf:Microsoft.NTamd64:Basic_Install:6.1.7600.16385:wpdbusenum\fs??????_Networkingperfcounters.ini?????????????????????????????????????????????????????????????????????? ???????????????????z??????????B? ? ?????????????????????B??????S????sndi??Microsoft SSL Protocol Provider??:????B??????s????s\dr??Microsoft SSL Protocol Provider?????%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\usbehci.sys????????????????????@hal.inf,%gendev_mfg%;(Komputery standardowe)???.NT??????????????????????????????,??????????????????????????????@monitor.inf,%generic%;(Standardowe typy monitor?w)??????????????????e??Memory Stick?asicdevicename%;Sterownik woluminu systemu plik?w WPD??????{eec5ad98-8080-425f-922a-dabf3de3f69a}\0048 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14750886143142280@SetupOperations ?????e??Memory Stick?asicdevicename%;Sterownik woluminu systemu plik?w WPD??????{eec5ad98-8080-425f-922a-dabf3de3f69a}\0048?nm??????????????????????????????????? ?????????????????????.??"???&?????????????????STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SONY_ERI&PROD_MEMORY_STICK&REV____0#3587900224235310&1#?????SD MMC Reader ?devicename%;Sterownik woluminu systemu plik?w WPD???m??NEC MBR-7 ?NEC MBR-7.4 ?PIONEER CHANGR DRM-1804X?PIONEER CD-ROM DRM-6324X?PIONEER CD-ROM DRM-624X ?TORiSAN CD-ROM CDR_C36??7??USB\VID_058F&PID_6387&REV_0106?USB\VID_058F&PID_6387????????????????Sterownik woluminu systemu plik?w WPD????????????9??45??????????wpdfs.inf:Microsoft.NTamd64:Basic_Install:6.1.7600.16385:wpdbusenum\fs?a w??????????????????????????????? ???????0??????t1??????????????????????????????????Sterownik woluminu systemu plik?w WPD???? ?????????????????????0??L????????? ??????1.7??? ?????????????????????4????????????????????usb\class_08&subclass_06&prot_50?9???????}?}?}?}?}?}?}?}?}?}?}?}?????n?n?n?n?n?o??????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@0022982ef1a2 0x1F 0xC3 0xC0 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\111111111111@d051629baad8 0xF9 0xA4 0x39 0x35 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Niiesmiertelny\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 ---- Files - GMER 2.2 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-2955672183-3658250396-1376213474-1001 0 bytes File C:\avast! sandbox\S-1-5-21-2955672183-3658250396-1376213474-1001\r39 0 bytes File C:\avast! sandbox\S-1-5-21-2955672183-3658250396-1376213474-1001\r39\WinToFlash.exe_{732fa964-922f-11e6-9612-9d4f9e653160} 0 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{732fa966-922f-11e6-9612-9d4f9e653160}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{732fa966-922f-11e6-9612-9d4f9e653160}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{732fa966-922f-11e6-9612-9d4f9e653160}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.2 ----