GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-19 22:48:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: mzx6pcq3.exe; Driver: C:\Users\SZYMEK\AppData\Local\Temp\kwrdipob.sys ---- User code sections - GMER 2.2 ---- .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000496f0480 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000496f0470 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000496f0360 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000496f0490 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000496f03d0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000496f0310 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000496f03a0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000496f0380 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000496f02d0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000496f02c0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0xffffffffd2672490} .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000496f0300 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000496f03b0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000496f0440 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000496f03e0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000496f0220 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000496f04a0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000496f0390 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000496f02e0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000496f0340 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000496f0280 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000496f02a0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0xffffffffd2671e90} .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000496f03c0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0xffffffffd2671f90} .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000496f0320 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000496f0410 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000496f0230 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000496f03f0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000496f01d0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000496f0240 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000496f04b0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000496f04c0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000496f02f0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000496f0350 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000496f0290 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000496f02b0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000496f0370 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000496f0330 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000496f0460 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000496f0420 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000496f0250 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0xffffffffd2671390} .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000496f0260 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0xffffffffd2671390} .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000496f0400 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000496f01e0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000496f0200 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000496f01f0 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000496f0430 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000496f0450 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000496f0210 .text C:\windows\system32\csrss.exe[480] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000496f0270 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 0000000000070480 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 0000000000070470 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 0000000000070360 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 0000000000070490 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000000703d0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 0000000000070310 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000000703a0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 0000000000070380 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000000702c0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0xffffffff88ff2490} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 0000000000070300 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000000703b0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 0000000000070440 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000000703e0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 0000000000070220 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000000704a0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 0000000000070390 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000000702e0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 0000000000070340 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 0000000000070280 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000000702a0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0xffffffff88ff1e90} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000000703c0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0xffffffff88ff1f90} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 0000000000070320 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 0000000000070410 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 0000000000070230 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000000703f0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 0000000000070240 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000000704b0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 0000000000070350 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 0000000000070290 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000000702b0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 0000000000070370 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 0000000000070330 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 0000000000070460 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 0000000000070420 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 0000000000070250 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 0000000000070260 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 0000000000070400 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 0000000000070200 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000000701f0 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 0000000000070430 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 0000000000070450 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 0000000000070210 .text C:\windows\system32\lsass.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 0000000000070270 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000771e0480 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000771e0470 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000771e0360 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000771e0490 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000771e03d0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000771e0310 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000771e03a0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000771e0380 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000771e02d0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000771e02c0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000771e0300 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000771e03b0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000771e0440 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000771e03e0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000771e0220 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000771e04a0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000771e0390 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000771e02e0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000771e0340 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000771e0280 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000771e02a0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000771e03c0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000771e0320 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000771e0410 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000771e0230 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000771e03f0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000771e01d0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000771e0240 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000771e04b0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000771e04c0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000771e02f0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000771e0350 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000771e0290 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000771e02b0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000771e0370 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000771e0330 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000771e0460 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000771e0420 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000771e0250 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000771e0260 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000771e0400 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000771e01e0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000771e0200 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000771e01f0 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000771e0430 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000771e0450 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000771e0210 .text C:\windows\system32\svchost.exe[824] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000771e0270 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000771e0480 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000771e0470 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000771e0360 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000771e0490 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000771e03d0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000771e0310 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000771e03a0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000771e0380 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000771e02d0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000771e02c0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0x162490} .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000771e0300 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000771e03b0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000771e0440 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000771e03e0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000771e0220 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000771e04a0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000771e0390 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000771e02e0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000771e0340 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000771e0280 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000771e02a0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0x161e90} .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000771e03c0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0x161f90} .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000771e0320 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000771e0410 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000771e0230 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000771e03f0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000771e01d0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000771e0240 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000771e04b0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000771e04c0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000771e02f0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000771e0350 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000771e0290 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000771e02b0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000771e0370 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000771e0330 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000771e0460 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000771e0420 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000771e0250 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000771e0260 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000771e0400 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000771e01e0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000771e0200 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000771e01f0 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000771e0430 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000771e0450 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000771e0210 .text C:\windows\System32\svchost.exe[876] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000771e0270 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 0000000000070480 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 0000000000070470 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 0000000000070360 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 0000000000070490 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000000703d0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 0000000000070310 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000000703a0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 0000000000070380 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000000702c0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0xffffffff88ff2490} .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 0000000000070300 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000000703b0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 0000000000070440 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000000703e0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 0000000000070220 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000000704a0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 0000000000070390 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000000702e0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 0000000000070340 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 0000000000070280 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000000702a0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0xffffffff88ff1e90} .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000000703c0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0xffffffff88ff1f90} .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 0000000000070320 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 0000000000070410 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 0000000000070230 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000000703f0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 0000000000070240 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000000704b0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 0000000000070350 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 0000000000070290 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000000702b0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 0000000000070370 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 0000000000070330 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 0000000000070460 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 0000000000070420 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 0000000000070250 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 0000000000070260 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 0000000000070400 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 0000000000070200 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000000701f0 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 0000000000070430 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 0000000000070450 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 0000000000070210 .text C:\windows\System32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 0000000000070270 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000771e0480 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000771e0470 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000771e0360 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000771e0490 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000771e03d0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000771e0310 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000771e03a0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000771e0380 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000771e02d0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000771e02c0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000771e0300 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000771e03b0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000771e0440 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000771e03e0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000771e0220 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000771e04a0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000771e0390 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000771e02e0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000771e0340 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000771e0280 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000771e02a0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000771e03c0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000771e0320 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000771e0410 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000771e0230 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000771e03f0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000771e01d0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000771e0240 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000771e04b0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000771e04c0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000771e02f0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000771e0350 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000771e0290 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000771e02b0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000771e0370 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000771e0330 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000771e0460 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000771e0420 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000771e0250 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000771e0260 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000771e0400 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000771e01e0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000771e0200 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000771e01f0 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000771e0430 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000771e0450 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000771e0210 .text C:\windows\system32\svchost.exe[948] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000771e0270 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000771e0480 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000771e0470 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000771e0360 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000771e0490 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000771e03d0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000771e0310 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000771e03a0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000771e0380 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000771e02d0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000771e02c0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000771e0300 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000771e03b0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000771e0440 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000771e03e0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000771e0220 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000771e04a0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000771e0390 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000771e02e0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000771e0340 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000771e0280 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000771e02a0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000771e03c0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000771e0320 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000771e0410 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000771e0230 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000771e03f0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000771e01d0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000771e0240 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000771e04b0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000771e04c0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000771e02f0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000771e0350 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000771e0290 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000771e02b0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000771e0370 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000771e0330 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000771e0460 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000771e0420 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000771e0250 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000771e0260 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000771e0400 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000771e01e0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000771e0200 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000771e01f0 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000771e0430 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000771e0450 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000771e0210 .text C:\windows\system32\svchost.exe[820] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000771e0270 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 0000000000070480 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 0000000000070470 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 0000000000070360 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 0000000000070490 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000000703d0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 0000000000070310 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000000703a0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 0000000000070380 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000000702c0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0xffffffff88ff2490} .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 0000000000070300 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000000703b0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 0000000000070440 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000000703e0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 0000000000070220 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000000704a0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 0000000000070390 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000000702e0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 0000000000070340 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 0000000000070280 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000000702a0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0xffffffff88ff1e90} .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000000703c0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0xffffffff88ff1f90} .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 0000000000070320 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 0000000000070410 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 0000000000070230 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000000703f0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 0000000000070240 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000000704b0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 0000000000070350 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 0000000000070290 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000000702b0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 0000000000070370 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 0000000000070330 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 0000000000070460 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 0000000000070420 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 0000000000070250 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 0000000000070260 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 0000000000070400 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 0000000000070200 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000000701f0 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 0000000000070430 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 0000000000070450 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 0000000000070210 .text C:\windows\system32\svchost.exe[1516] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 0000000000070270 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000771e0480 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000771e0470 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000771e0360 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000771e0490 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000771e03d0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000771e0310 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000771e03a0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000771e0380 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000771e02d0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000771e02c0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0x162490} .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000771e0300 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000771e03b0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000771e0440 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000771e03e0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000771e0220 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000771e04a0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000771e0390 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000771e02e0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000771e0340 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000771e0280 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000771e02a0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000771e03c0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000771e0320 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000771e0410 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000771e0230 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000771e03f0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000771e01d0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000771e0240 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000771e04b0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000771e04c0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000771e02f0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000771e0350 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000771e0290 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000771e02b0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000771e0370 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000771e0330 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000771e0460 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000771e0420 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000771e0250 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000771e0260 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000771e0400 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000771e01e0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000771e0200 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000771e01f0 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000771e0430 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000771e0450 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000771e0210 .text C:\windows\system32\Dwm.exe[2412] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000771e0270 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 0000000000070480 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 0000000000070470 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 0000000000070360 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 0000000000070490 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000000703d0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 0000000000070310 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000000703a0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 0000000000070380 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000000702c0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0xffffffff88ff2490} .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 0000000000070300 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000000703b0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 0000000000070440 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000000703e0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 0000000000070220 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000000704a0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 0000000000070390 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000000702e0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 0000000000070340 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 0000000000070280 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000000702a0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0xffffffff88ff1e90} .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000000703c0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0xffffffff88ff1f90} .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 0000000000070320 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 0000000000070410 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 0000000000070230 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000000703f0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 0000000000070240 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000000704b0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 0000000000070350 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 0000000000070290 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000000702b0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 0000000000070370 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 0000000000070330 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 0000000000070460 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 0000000000070420 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 0000000000070250 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 0000000000070260 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0xffffffff88ff1390} .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 0000000000070400 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 0000000000070200 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000000701f0 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 0000000000070430 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 0000000000070450 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 0000000000070210 .text C:\windows\Explorer.EXE[2456] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3720] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000752a48b3 5 bytes JMP 00000000100027c0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3720] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000752a48cb 5 bytes JMP 00000000100028a0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3720] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000752a48fd 5 bytes JMP 0000000010002830 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3720] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075039d0b 5 bytes JMP 0000000010002900 .text C:\Users\SZYMEK\AppData\Local\FluxSoftware\Flux\flux.exe[3892] C:\windows\syswow64\kernel32.dll!LoadLibraryExA 00000000752a48b3 5 bytes JMP 00000000100027c0 .text C:\Users\SZYMEK\AppData\Local\FluxSoftware\Flux\flux.exe[3892] C:\windows\syswow64\kernel32.dll!LoadLibraryW 00000000752a48cb 5 bytes JMP 00000000100028a0 .text C:\Users\SZYMEK\AppData\Local\FluxSoftware\Flux\flux.exe[3892] C:\windows\syswow64\kernel32.dll!LoadLibraryExW 00000000752a48fd 5 bytes JMP 0000000010002830 .text C:\Users\SZYMEK\AppData\Local\FluxSoftware\Flux\flux.exe[3892] C:\windows\syswow64\ole32.dll!CoCreateInstance 0000000075039d0b 5 bytes JMP 0000000010002900 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExA 00000000752a48b3 5 bytes JMP 00000000100027c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\KERNEL32.dll!LoadLibraryW 00000000752a48cb 5 bytes JMP 00000000100028a0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4080] C:\windows\syswow64\KERNEL32.dll!LoadLibraryExW 00000000752a48fd 5 bytes JMP 0000000010002830 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3456] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000752a8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[1864] C:\windows\system32\kernel32.dll!LoadLibraryW 0000000076e264a0 5 bytes JMP 0000000069ff0038 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007707da60 5 bytes JMP 00000000771e0480 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007707dab0 5 bytes JMP 00000000771e0470 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007707dc10 5 bytes JMP 00000000771e0360 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007707dc60 5 bytes JMP 00000000771e0490 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007707dc70 5 bytes JMP 00000000771e03d0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007707dd20 5 bytes JMP 00000000771e0310 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007707dd50 5 bytes JMP 00000000771e03a0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007707dd70 5 bytes JMP 00000000771e0380 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007707ddb0 5 bytes JMP 00000000771e02d0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007707de30 1 byte JMP 00000000771e02c0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007707de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007707de50 5 bytes JMP 00000000771e0300 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007707de90 5 bytes JMP 00000000771e03b0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007707ded0 5 bytes JMP 00000000771e0440 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007707dee0 5 bytes JMP 00000000771e03e0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007707e040 5 bytes JMP 00000000771e0220 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007707e200 5 bytes JMP 00000000771e04a0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007707e230 5 bytes JMP 00000000771e0390 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007707e310 5 bytes JMP 00000000771e02e0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007707e320 5 bytes JMP 00000000771e0340 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007707e380 5 bytes JMP 00000000771e0280 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007707e410 1 byte JMP 00000000771e02a0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007707e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007707e430 1 byte JMP 00000000771e03c0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007707e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007707e440 5 bytes JMP 00000000771e0320 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007707e4b0 5 bytes JMP 00000000771e0410 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007707e4e0 5 bytes JMP 00000000771e0230 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007707e680 5 bytes JMP 00000000771e03f0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007707e7a0 5 bytes JMP 00000000771e01d0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007707e860 5 bytes JMP 00000000771e0240 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007707e890 5 bytes JMP 00000000771e04b0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007707e8a0 5 bytes JMP 00000000771e04c0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007707e8d0 5 bytes JMP 00000000771e02f0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007707e8e0 5 bytes JMP 00000000771e0350 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007707e940 5 bytes JMP 00000000771e0290 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007707e990 5 bytes JMP 00000000771e02b0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007707e9c0 5 bytes JMP 00000000771e0370 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007707e9d0 5 bytes JMP 00000000771e0330 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007707ecc0 5 bytes JMP 00000000771e0460 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007707ee20 5 bytes JMP 00000000771e0420 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007707eec0 1 byte JMP 00000000771e0250 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007707eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007707eed0 1 byte JMP 00000000771e0260 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007707eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007707eee0 5 bytes JMP 00000000771e0400 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007707f0a0 5 bytes JMP 00000000771e01e0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007707f0b0 5 bytes JMP 00000000771e0200 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007707f120 5 bytes JMP 00000000771e01f0 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007707f180 5 bytes JMP 00000000771e0430 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007707f190 5 bytes JMP 00000000771e0450 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007707f1a0 5 bytes JMP 00000000771e0210 .text C:\windows\system32\svchost.exe[3576] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007707f280 5 bytes JMP 00000000771e0270 ---- Threads - GMER 2.2 ---- Thread C:\windows\System32\svchost.exe [924:1060] 000007fefb3f59a0 Thread C:\windows\System32\svchost.exe [924:1256] 000007fefc9d1a70 Thread C:\windows\System32\svchost.exe [924:2976] 000007fef8c789b8 Thread C:\windows\System32\svchost.exe [924:2704] 000007fef95f20c0 Thread C:\windows\System32\svchost.exe [924:2932] 000007fef95f26a8 Thread C:\windows\System32\svchost.exe [924:2964] 000007fef95f29dc Thread C:\windows\system32\svchost.exe [492:4928] 000007fef47b0ea8 Thread C:\windows\system32\svchost.exe [492:4940] 000007fef47a9db0 Thread C:\windows\system32\svchost.exe [492:5012] 000007fef47aaa10 Thread C:\windows\system32\svchost.exe [492:5016] 000007fef47b1c94 Thread C:\windows\system32\svchost.exe [492:3972] 000007fef0e75c24 Thread C:\windows\system32\svchost.exe [492:4688] 000007fef0e7eff0 Thread C:\windows\system32\svchost.exe [492:3060] 000007fef9794f84 Thread C:\windows\system32\svchost.exe [820:1684] 000007fef56c83d8 Thread C:\windows\system32\svchost.exe [820:984] 000007fef56c83d8 Thread C:\windows\system32\svchost.exe [820:3364] 000007fef4853f1c Thread C:\windows\system32\svchost.exe [820:1228] 000007fef48222b8 Thread C:\windows\system32\svchost.exe [820:1232] 000007fef4821a38 Thread C:\windows\system32\svchost.exe [820:1356] 000007fef9a25388 Thread C:\windows\system32\svchost.exe [820:1580] 000007fef3a57738 Thread C:\windows\system32\svchost.exe [820:3512] 000007fef3a41f90 Thread C:\windows\system32\svchost.exe [820:452] 000007fef3a95170 Thread C:\windows\system32\WLANExt.exe [1136:1200] 000000018000b674 Thread C:\windows\system32\WLANExt.exe [1136:1204] 000000018000b690 Thread C:\windows\system32\WLANExt.exe [1136:1208] 000000018000b658 Thread C:\windows\system32\WLANExt.exe [1136:1212] 0000000180022170 Thread C:\windows\system32\WLANExt.exe [1136:1216] 000007fefb162f9c Thread C:\windows\System32\spoolsv.exe [1456:1248] 000007fef84a10c8 Thread C:\windows\System32\spoolsv.exe [1456:1412] 000007fef8466144 Thread C:\windows\System32\spoolsv.exe [1456:1872] 000007fef8255fd0 Thread C:\windows\System32\spoolsv.exe [1456:132] 000007fef8243438 Thread C:\windows\System32\spoolsv.exe [1456:2052] 000007fef82563ec Thread C:\windows\System32\spoolsv.exe [1456:2060] 000007fef8565e5c Thread C:\windows\System32\spoolsv.exe [1456:2064] 000007fef8595074 Thread C:\windows\System32\svchost.exe [1832:2036] 000007fef9280360 Thread C:\windows\System32\svchost.exe [1832:548] 000007fef925e460 Thread C:\windows\System32\svchost.exe [1832:544] 000007fef925e450 Thread C:\windows\System32\svchost.exe [1832:580] 000007fef9225570 Thread C:\windows\System32\svchost.exe [1832:1020] 000007fef925a130 Thread C:\windows\System32\svchost.exe [1832:2044] 000007fef9225560 Thread C:\windows\System32\svchost.exe [1832:2040] 000007fef92a82a0 Thread C:\windows\system32\taskhost.exe [2312:2360] 000007fef8052740 Thread C:\windows\system32\taskhost.exe [2312:2376] 000007fefa791010 Thread C:\windows\system32\taskhost.exe [2312:2500] 000007fef7d11f38 Thread C:\windows\System32\alg.exe [4740:4812] 000007fefdeca808 Thread C:\windows\system32\svchost.exe [612:1696] 000007fefb162f9c Thread C:\windows\system32\svchost.exe [3576:4420] 000007fef0fd8470 Thread C:\windows\system32\svchost.exe [3576:4040] 000007fef0fe2418 Thread C:\windows\system32\svchost.exe [3576:3408] 000007fef0faf130 Thread C:\windows\system32\svchost.exe [3576:4248] 000007fef0266648 Thread C:\windows\system32\svchost.exe [3576:4700] 000007fef0fa4734 Thread C:\windows\system32\svchost.exe [3576:2352] 000007fef8255fd0 Thread C:\windows\system32\svchost.exe [3576:5068] 000007fef82563ec Thread C:\windows\system32\svchost.exe [3576:5884] 000007fef0fa4734 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14734497559452280@SetupOperations ??????????????????????????????????????z?????????????????4????????????????e????H?????????????volsnap.inf:MSFT.NTamd64:volume_snapshot_install:6.1.7600.16385:storage\volumesnapshot???????????????????????????t???o??Au???? ??:??????p????????????????3?????????d.6???????-???'???????d??usbport.inf:Generic.Section.NTamd64:ROOTHUB.Dev:6.1.7601.17514:usb\root_hub20?????L??????????????z?z?z?z?z?z?y???????i???o???e???????????i??????????????{36fc9e60-c465-11cf-8056-444553540000}?\ns??????????????????????????? ?????????????????????*????????????&???????????????????????{77F7F122-20B0-4117-A2FB-059D1FC88256}?-80???????z??????s{???o??????????????255.255.255.0????????.??????????????????????????????? "??????e???????????????????????????????+?+?8?8?v?y?+?z?z?z?z??oem21.inf???????????????????????????{c938b438-519a-5f66-ad98-9adcc355e560}?5??????????????????????|??????D??_0???????????????e???????t???&???&??{36fc9e60-c465-11cf-8056-444553540000}?-Mu??????????????SW???????????&???????????????????-????????????????????????????????.???? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14734498329312280@SetupOperations ?????/???????????~?????n????????????????????{8ECC055D-047F-11D1-A537-0000F8753ED1}??@%???????????f???????e??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ????????&??HJ???????????????????????????????????????????&?????????????????????????????????????????????????????????? ??????????????????? ??????????? ?????????????????? ?????????????????????0????????????&???????????????????????? ???????????????????h?0????????????????????? ?????????????????????0????????????????????? ???????????????????h?0????????????????????? ?????????????????????0????????????????????? ???????????????????h?0????????????????????? ?????????????????????0????????????????????? ???????????????????h?0????????????????????? ?????????????????????0????????????????????? ???????????????????h?0????????????????????????????????????????????????????????? ?????????????????????0????????????????????? ???????????????????h?0????????????????????@usbstor.inf,%generic.mfg%;Zgodne urz?dzenie magazy Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38e8fb31 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38e8fb31@b4527de761ae 0xA2 0x3C 0xFF 0x3D ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14734497559452280@SetupOperations ?????????????????s?????ssb????????????????????(?????????????????????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ???????????HJ???????????D???????D???D???D???????????????????????D???D???D???????????????????????D?????????????????? ??????????????????? ??????????? ?????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ????????&??HJ???????????????????????????????????????????&?????????????????????????????????????????????????????????? ??????????????????? ??????????? ??????????????????$???????p???????????????????{???$???????????????????????????????$???????????????????????????????$???????t??????????????????????@machine.inf,%*int0800.devicedesc%;Urz?dzenie koncentratora firmware Intel(R) 82802??????????????8???8??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ????????>??HJ??????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14734498329312280@SetupOperations ????????????Bluetooth FTP????????n??????????e0???k?k?k?k?k?k?k?{?z???k??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ????????/??HJ???????????????????????????????????????????/???????????????????????^???????????????1?????????????????? ??????????????????? ??????????? ?????????????????@compositebus.inf,%compositebus.devicedesc%;Modu? wyliczaj?cy magistrali kompozytowej????9?9?:?:?????:???:???????g???A???????????????????????????e??????1???? x?????????????ms??????????????????Sterownik Bluetooth Request Block???????????????????nettun.inf:Microsoft.NTamd64:ISATAP.ndi:6.1.7600.16385:*isatap???????$???????????????????????????????y??????????????192.168.137.1???????????@????t?????s?????????????&???????.???p???????????n?n???n?????n??????{aae4863c-9693-5446-9a34-91edfa0f76cc}?Hds??0e2519f7-0125-4e77-94c4-0a1b8ec????????????????????????????e?????????????????????????????????e??????????????????????? ?????????????????????,?????? ??? ?????????????????\De Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38e8fb31 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38e8fb31@b4527de761ae 0xA2 0x3C 0xFF 0x3D ... ---- EOF - GMER 2.2 ----