GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-28 16:36:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS547564A9E384 rev.JEDOA50B 596,17GB Running: i21rqt1h.exe; Driver: C:\Users\SonyVaio\AppData\Local\Temp\kxliipob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff960000c5658 8 bytes [CC, A0, EC, 03, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000f4d00 7 bytes [00, 89, F3, FF, C1, 98, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f4d08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 000000004a3b0480 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 000000004a3b0470 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 000000004a3b0360 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 000000004a3b0490 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 000000004a3b03d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 000000004a3b0310 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 000000004a3b03a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 000000004a3b0380 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 000000004a3b02d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 000000004a3b02c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 000000004a3b0300 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0xffffffffd34a2290} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 000000004a3b03b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 000000004a3b0440 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 000000004a3b03e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 000000004a3b0220 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 000000004a3b04a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 000000004a3b0390 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 000000004a3b02e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 000000004a3b0340 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 000000004a3b0280 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 000000004a3b02a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 000000004a3b03c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 000000004a3b0320 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 000000004a3b0410 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 000000004a3b0230 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 000000004a3b03f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 000000004a3b01d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 000000004a3b0240 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 000000004a3b04b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 000000004a3b04c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 000000004a3b02f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 000000004a3b0350 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 000000004a3b0290 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 000000004a3b02b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 000000004a3b0370 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0xffffffffd34a1790} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 000000004a3b0330 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 000000004a3b0460 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 000000004a3b0420 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 000000004a3b0250 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 000000004a3b0260 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 000000004a3b0400 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 000000004a3b01e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 000000004a3b0200 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 000000004a3b01f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 000000004a3b0430 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0xffffffffd34a1090} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 000000004a3b0450 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 000000004a3b0210 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 000000004a3b0270 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 000000004a3b0480 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 000000004a3b0470 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 000000004a3b0360 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 000000004a3b0490 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 000000004a3b03d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 000000004a3b0310 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 000000004a3b03a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 000000004a3b0380 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 000000004a3b02d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 000000004a3b02c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 000000004a3b0300 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0xffffffffd34a2290} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 000000004a3b03b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 000000004a3b0440 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 000000004a3b03e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 000000004a3b0220 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 000000004a3b04a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 000000004a3b0390 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 000000004a3b02e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 000000004a3b0340 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 000000004a3b0280 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 000000004a3b02a0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 000000004a3b03c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 000000004a3b0320 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 000000004a3b0410 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 000000004a3b0230 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 000000004a3b03f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 000000004a3b01d0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 000000004a3b0240 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 000000004a3b04b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 000000004a3b04c0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 000000004a3b02f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 000000004a3b0350 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 000000004a3b0290 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 000000004a3b02b0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 000000004a3b0370 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0xffffffffd34a1790} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 000000004a3b0330 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 000000004a3b0460 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 000000004a3b0420 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 000000004a3b0250 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 000000004a3b0260 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 000000004a3b0400 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 000000004a3b01e0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 000000004a3b0200 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 000000004a3b01f0 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 000000004a3b0430 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0xffffffffd34a1090} .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 000000004a3b0450 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 000000004a3b0210 .text C:\Windows\system32\csrss.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 000000004a3b0270 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\System32\svchost.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\System32\svchost.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0xffffffff89162290} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0xffffffff89161790} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0xffffffff89161090} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\system32\svchost.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\system32\Dwm.exe[1316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\Explorer.EXE[1376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f0dc80 5 bytes JMP 0000000077070480 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f0dcd0 5 bytes JMP 0000000077070470 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f0de30 5 bytes JMP 0000000077070360 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f0de80 5 bytes JMP 0000000077070490 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f0de90 5 bytes JMP 00000000770703d0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f0df40 5 bytes JMP 0000000077070310 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f0df70 5 bytes JMP 00000000770703a0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f0df90 5 bytes JMP 0000000077070380 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f0dfd0 5 bytes JMP 00000000770702d0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f0e050 5 bytes JMP 00000000770702c0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f0e070 1 byte JMP 0000000077070300 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 2 0000000076f0e072 3 bytes {JMP 0x162290} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f0e0b0 5 bytes JMP 00000000770703b0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076f0e0f0 5 bytes JMP 0000000077070440 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f0e100 5 bytes JMP 00000000770703e0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f0e260 5 bytes JMP 0000000077070220 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f0e420 5 bytes JMP 00000000770704a0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f0e450 5 bytes JMP 0000000077070390 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f0e530 5 bytes JMP 00000000770702e0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f0e540 5 bytes JMP 0000000077070340 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f0e5a0 5 bytes JMP 0000000077070280 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f0e630 5 bytes JMP 00000000770702a0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f0e650 5 bytes JMP 00000000770703c0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f0e660 5 bytes JMP 0000000077070320 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f0e6d0 5 bytes JMP 0000000077070410 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f0e700 5 bytes JMP 0000000077070230 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f0e8a0 5 bytes JMP 00000000770703f0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f0e9c0 5 bytes JMP 00000000770701d0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f0ea80 5 bytes JMP 0000000077070240 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f0eab0 5 bytes JMP 00000000770704b0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f0eac0 5 bytes JMP 00000000770704c0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f0eaf0 5 bytes JMP 00000000770702f0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f0eb00 5 bytes JMP 0000000077070350 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f0eb60 5 bytes JMP 0000000077070290 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f0ebb0 5 bytes JMP 00000000770702b0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f0ebe0 1 byte JMP 0000000077070370 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 0000000076f0ebe2 3 bytes {JMP 0x161790} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f0ebf0 5 bytes JMP 0000000077070330 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f0eee0 5 bytes JMP 0000000077070460 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076f0f040 5 bytes JMP 0000000077070420 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f0f0e0 5 bytes JMP 0000000077070250 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f0f0f0 5 bytes JMP 0000000077070260 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f0f100 5 bytes JMP 0000000077070400 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f0f2c0 5 bytes JMP 00000000770701e0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f0f2d0 5 bytes JMP 0000000077070200 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f0f340 5 bytes JMP 00000000770701f0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f0f3a0 1 byte JMP 0000000077070430 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076f0f3a2 3 bytes {JMP 0x161090} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f0f3b0 5 bytes JMP 0000000077070450 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f0f3c0 5 bytes JMP 0000000077070210 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f0f4a0 5 bytes JMP 0000000077070270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4516] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768f8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9ad 7 bytes {MOV EDX, 0xb0bae8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 00000000770bfa29 7 bytes {MOV EDX, 0xb0b9a8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 00000000770bfb41 7 bytes {MOV EDX, 0xb0b968; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbf1 7 bytes {MOV EDX, 0xb0bb28; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc21 7 bytes {MOV EDX, 0xb0ba68; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc39 7 bytes {MOV EDX, 0xb0b928; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc51 7 bytes {MOV EDX, 0xb0bbe8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc81 7 bytes {MOV EDX, 0xb0bc28; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfd01 7 bytes {MOV EDX, 0xb0bba8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd19 7 bytes {MOV EDX, 0xb0bb68; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd65 7 bytes {MOV EDX, 0xb0b868; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe5d 7 bytes {MOV EDX, 0xb0b8a8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00b5 7 bytes {MOV EDX, 0xb0b828; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 00000000770c1019 7 bytes {MOV EDX, 0xb0b9e8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10c1 7 bytes {MOV EDX, 0xb0baa8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c1139 7 bytes {MOV EDX, 0xb0ba28; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c133d 7 bytes {MOV EDX, 0xb0b8e8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077071401 2 bytes JMP 7691b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077071419 2 bytes JMP 7691b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077071431 2 bytes JMP 76998f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007707144a 2 bytes CALL 768f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000770714dd 2 bytes JMP 76998822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000770714f5 2 bytes JMP 769989f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007707150d 2 bytes JMP 76998718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077071525 2 bytes JMP 76998ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007707153d 2 bytes JMP 7690fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077071555 2 bytes JMP 769168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007707156d 2 bytes JMP 76998fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077071585 2 bytes JMP 76998b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007707159d 2 bytes JMP 769986dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000770715b5 2 bytes JMP 7690fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000770715cd 2 bytes JMP 7691b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000770716b2 2 bytes JMP 76998ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[1884] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000770716bd 2 bytes JMP 76998671 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770bf9ad 7 bytes {MOV EDX, 0x475ae8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 00000000770bfa29 7 bytes {MOV EDX, 0x4759a8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 00000000770bfb41 7 bytes {MOV EDX, 0x475968; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770bfbf1 7 bytes {MOV EDX, 0x475b28; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770bfc21 7 bytes {MOV EDX, 0x475a68; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770bfc39 7 bytes {MOV EDX, 0x475928; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770bfc51 7 bytes {MOV EDX, 0x475be8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770bfc81 7 bytes {MOV EDX, 0x475c28; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770bfd01 7 bytes {MOV EDX, 0x475ba8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770bfd19 7 bytes {MOV EDX, 0x475b68; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770bfd65 7 bytes {MOV EDX, 0x475868; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770bfe5d 7 bytes {MOV EDX, 0x4758a8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000770c00b5 7 bytes {MOV EDX, 0x475828; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 00000000770c1019 7 bytes {MOV EDX, 0x4759e8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000770c10c1 7 bytes {MOV EDX, 0x475aa8; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000770c1139 7 bytes {MOV EDX, 0x475a28; JMP RDX} .text C:\Program Files\Steam\bin\cef\cef.winxp\steamwebhelper.exe[2256] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000770c133d 7 bytes {MOV EDX, 0x4758e8; JMP RDX} ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [128:3032] 000007fef8055fd0 Thread C:\Windows\System32\spoolsv.exe [1584:2056] 000007fef83410c8 Thread C:\Windows\System32\spoolsv.exe [1584:2136] 000007fef82e6144 Thread C:\Windows\System32\spoolsv.exe [1584:2164] 000007fef8055fd0 Thread C:\Windows\System32\spoolsv.exe [1584:2168] 000007fef8043438 Thread C:\Windows\System32\spoolsv.exe [1584:2172] 000007fef80563ec Thread C:\Windows\System32\spoolsv.exe [1584:2180] 000007fef8495e5c Thread C:\Windows\System32\spoolsv.exe [1584:2184] 000007fef84c5074 Thread C:\Windows\System32\spoolsv.exe [1584:2528] 000007fef8532288 Thread C:\Windows\System32\spoolsv.exe [1584:2532] 0000000001e9c334 Thread C:\Windows\SysWOW64\DllHost.exe [1932:1252] 00000000708328f0 Thread C:\Windows\SysWOW64\DllHost.exe [2084:2192] 0000000070472570 Thread C:\Windows\system32\taskhost.exe [1564:3504] 000007fef7445170 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3352:860] 000007fefafd2bf8 Thread C:\Windows\System32\svchost.exe [1556:1324] 000007fef7445170 Thread C:\Windows\System32\svchost.exe [1556:4916] 000007fef8ef9874 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5b31b48 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5b31b48@2cd2e7ba1b2c 0x75 0xC6 0xD9 0x0C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5b31b48 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5b31b48@2cd2e7ba1b2c 0x75 0xC6 0xD9 0x0C ... ---- EOF - GMER 2.2 ----