GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-27 11:55:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM000-SSHD-8GB rev.LVD3 465,76GB Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 000000004a620480 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 000000004a620470 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 000000004a620360 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 000000004a620490 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 000000004a6203d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 000000004a620310 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 000000004a6203a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 000000004a620380 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 000000004a6202d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 000000004a6202c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0xffffffffd29a2290} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 000000004a620300 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 000000004a6203b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 000000004a620440 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 000000004a6203e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 000000004a620220 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 000000004a6204a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 000000004a620390 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 000000004a6202e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 000000004a620340 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 000000004a620280 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 000000004a6202a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0xffffffffd29a1c90} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 000000004a6203c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0xffffffffd29a1d90} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 000000004a620320 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 000000004a620410 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 000000004a620230 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 000000004a6203f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 000000004a6201d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 000000004a620240 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 000000004a6204b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 000000004a6204c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 000000004a6202f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 000000004a620350 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 000000004a620290 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 000000004a6202b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 000000004a620370 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 000000004a620330 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 000000004a620460 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 000000004a620420 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 000000004a620250 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0xffffffffd29a1190} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 000000004a620260 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0xffffffffd29a1190} .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 000000004a620400 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 000000004a6201e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 000000004a620200 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 000000004a6201f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 000000004a620430 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 000000004a620450 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 000000004a620210 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 000000004a620270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 000000004a620480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 000000004a620470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 000000004a620360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 000000004a620490 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 000000004a6203d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 000000004a620310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 000000004a6203a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 000000004a620380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 000000004a6202d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 000000004a6202c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0xffffffffd29a2290} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 000000004a620300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 000000004a6203b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 000000004a620440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 000000004a6203e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 000000004a620220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 000000004a6204a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 000000004a620390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 000000004a6202e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 000000004a620340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 000000004a620280 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 000000004a6202a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0xffffffffd29a1c90} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 000000004a6203c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0xffffffffd29a1d90} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 000000004a620320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 000000004a620410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 000000004a620230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 000000004a6203f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 000000004a6201d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 000000004a620240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 000000004a6204b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 000000004a6204c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 000000004a6202f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 000000004a620350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 000000004a620290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 000000004a6202b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 000000004a620370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 000000004a620330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 000000004a620460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 000000004a620420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 000000004a620250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0xffffffffd29a1190} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 000000004a620260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0xffffffffd29a1190} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 000000004a620400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 000000004a6201e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 000000004a620200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 000000004a6201f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 000000004a620430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 000000004a620450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 000000004a620210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 000000004a620270 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\lsass.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\lsm.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0xffffffff883f2290} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0xffffffff883f1c90} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0xffffffff883f1d90} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0xffffffff883f1190} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0xffffffff883f1190} .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0xffffffff883f2290} .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0xffffffff883f1c90} .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0xffffffff883f1d90} .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0xffffffff883f1190} .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0xffffffff883f1190} .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0xffffffff883f2290} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0xffffffff883f1c90} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0xffffffff883f1d90} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0xffffffff883f1190} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0xffffffff883f1190} .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\Dwm.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\System32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000077de0480 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000077de0470 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000077de0360 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000077de0490 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 0000000077de03d0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000077de0310 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 0000000077de03a0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000077de0380 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 0000000077de02d0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 0000000077de02c0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0x162290} .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000077de0300 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 0000000077de03b0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000077de0440 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 0000000077de03e0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000077de0220 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 0000000077de04a0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000077de0390 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 0000000077de02e0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000077de0340 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000077de0280 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 0000000077de02a0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0x161c90} .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 0000000077de03c0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0x161d90} .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000077de0320 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000077de0410 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000077de0230 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 0000000077de03f0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 0000000077de01d0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000077de0240 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 0000000077de04b0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 0000000077de04c0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 0000000077de02f0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000077de0350 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000077de0290 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 0000000077de02b0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000077de0370 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000077de0330 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000077de0460 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000077de0420 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000077de0250 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0x161190} .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000077de0260 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0x161190} .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000077de0400 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 0000000077de01e0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000077de0200 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 0000000077de01f0 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000077de0430 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000077de0450 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000077de0210 .text C:\Windows\system32\taskeng.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000077de0270 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c7dc60 5 bytes JMP 0000000000060480 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c7dcb0 5 bytes JMP 0000000000060470 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c7de10 5 bytes JMP 0000000000060360 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c7de60 5 bytes JMP 0000000000060490 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c7de70 5 bytes JMP 00000000000603d0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c7df20 5 bytes JMP 0000000000060310 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c7df50 5 bytes JMP 00000000000603a0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c7df70 5 bytes JMP 0000000000060380 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c7dfb0 5 bytes JMP 00000000000602d0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c7e030 1 byte JMP 00000000000602c0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077c7e032 3 bytes {JMP 0xffffffff883e2290} .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c7e050 5 bytes JMP 0000000000060300 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c7e090 5 bytes JMP 00000000000603b0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077c7e0d0 5 bytes JMP 0000000000060440 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c7e0e0 5 bytes JMP 00000000000603e0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c7e240 5 bytes JMP 0000000000060220 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c7e400 5 bytes JMP 00000000000604a0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c7e430 5 bytes JMP 0000000000060390 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c7e510 5 bytes JMP 00000000000602e0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c7e520 5 bytes JMP 0000000000060340 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c7e580 5 bytes JMP 0000000000060280 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c7e610 1 byte JMP 00000000000602a0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077c7e612 3 bytes {JMP 0xffffffff883e1c90} .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c7e630 1 byte JMP 00000000000603c0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077c7e632 3 bytes {JMP 0xffffffff883e1d90} .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c7e640 5 bytes JMP 0000000000060320 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c7e6b0 5 bytes JMP 0000000000060410 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c7e6e0 5 bytes JMP 0000000000060230 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077c7e880 5 bytes JMP 00000000000603f0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c7e9a0 5 bytes JMP 00000000000601d0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c7ea60 5 bytes JMP 0000000000060240 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c7ea90 5 bytes JMP 00000000000604b0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c7eaa0 5 bytes JMP 00000000000604c0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c7ead0 5 bytes JMP 00000000000602f0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c7eae0 5 bytes JMP 0000000000060350 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c7eb40 5 bytes JMP 0000000000060290 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c7eb90 5 bytes JMP 00000000000602b0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c7ebc0 5 bytes JMP 0000000000060370 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c7ebd0 5 bytes JMP 0000000000060330 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c7eec0 5 bytes JMP 0000000000060460 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077c7f020 5 bytes JMP 0000000000060420 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c7f0c0 1 byte JMP 0000000000060250 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077c7f0c2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c7f0d0 1 byte JMP 0000000000060260 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077c7f0d2 3 bytes {JMP 0xffffffff883e1190} .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c7f0e0 5 bytes JMP 0000000000060400 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c7f2a0 5 bytes JMP 00000000000601e0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c7f2b0 5 bytes JMP 0000000000060200 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c7f320 5 bytes JMP 00000000000601f0 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c7f380 5 bytes JMP 0000000000060430 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c7f390 5 bytes JMP 0000000000060450 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c7f3a0 5 bytes JMP 0000000000060210 .text C:\Windows\system32\taskhost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c7f480 5 bytes JMP 0000000000060270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2960] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076528781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076421401 2 bytes JMP 7654b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076421419 2 bytes JMP 7654b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076421431 2 bytes JMP 765c8f29 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007642144a 2 bytes CALL 7652489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764214dd 2 bytes JMP 765c8822 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764214f5 2 bytes JMP 765c89f8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007642150d 2 bytes JMP 765c8718 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076421525 2 bytes JMP 765c8ae2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007642153d 2 bytes JMP 7653fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076421555 2 bytes JMP 765468ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007642156d 2 bytes JMP 765c8fe3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076421585 2 bytes JMP 765c8b42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007642159d 2 bytes JMP 765c86dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764215b5 2 bytes JMP 7653fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764215cd 2 bytes JMP 7654b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764216b2 2 bytes JMP 765c8ea4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[4256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764216bd 2 bytes JMP 765c8671 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{3CA785DC-4426-4E0F-9979-E6293D57CA9C}\Connection@Name isatap.{685CBA45-71DA-423F-AC57-D5A18F6BAE77} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{0983A7B2-ACB0-47E8-8BA2-01D6E3038425}?\Device\{7F809526-685F-41EF-98A7-D7F7355CE8B2}?\Device\{3CA785DC-4426-4E0F-9979-E6293D57CA9C}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{0983A7B2-ACB0-47E8-8BA2-01D6E3038425}"?"{7F809526-685F-41EF-98A7-D7F7355CE8B2}"?"{3CA785DC-4426-4E0F-9979-E6293D57CA9C}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{0983A7B2-ACB0-47E8-8BA2-01D6E3038425}?\Device\TCPIP6TUNNEL_{7F809526-685F-41EF-98A7-D7F7355CE8B2}?\Device\TCPIP6TUNNEL_{3CA785DC-4426-4E0F-9979-E6293D57CA9C}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14733536113432280@SetupOperations ????????? ?????????????????????'??"???&???????????????????????????????????.0????????????? ???????????????????????????? ??????????????2???&??????? ???????????????????(????????????????*????????????????nsy??Port_#0002.Hub_#0004?s???????????d???????????????????????????????e???????????????&??????????????????????????????????????? ?????????????????????'?????????????????f??? l??????d?????d????? ??????????????????????????????s?????N????????????DRo??USB\VID_0951&PID_1666&REV_0100?USB\VID_0951&PID_1666??????N??????0?????D?j??????????? ?????s?d??.NT??d??{4d36e97d-e325-11ce-bfc1-08002be10318}\0024?GE???b???m?x?x?x?x?x?x?x?x?x?a???e???????b???9???v???????????????????????????n???????????????e??????????????\Device\Tcpip_{685CBA45-71DA-423F-AC57-D5A18F6BAE77}?\Device\Tcpip_{1BDBA46C-6A7A-48D0-A091-5B7233A01F12}?\Device\Tcpip_{86BAD138-E0E3-4AF6-8541-B44ADFA9ED8A}?\Device\Tcpip6_{0983A7B2-ACB0-47E8-8BA2-01D6E3038425}?\Device\Tcpip6_{7F809526-685F-41EF-98A7-D7F7355CE8B2}?\Device\Tcpip6_{3CA785DC-4426-4E0F-9979-E6293D57CA9C}?\D Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{3CA785DC-4426-4E0F-9979-E6293D57CA9C}@InterfaceName isatap.{685CBA45-71DA-423F-AC57-D5A18F6BAE77} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{3CA785DC-4426-4E0F-9979-E6293D57CA9C}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14733536113432280@SetupOperations ????????? ??????????????????MBAMSwissArmy???{4d36e97d-e325-11ce-bfc1-08002be10318}\0029????????????????????e????@machine.inf,%gendev_mfg%;(Standardowe urz?dzenia systemowe)?????`?`?v?x?y?^????????????????????????????s??????????????????????????????????????????????????????d????DeleteFile("\??\c:\windows\system32\drivers\aswsp.sys.147470052793401")????????????????????????????????????????????????e?????????b??????????? ???????????????????????????? ??????????????1???c???????????????????????????????????????????????????????????????8?????t?8???????????????a?????t0\???????????W?????t-4??????????@machine.inf,%PCISlot%;Gniazdo PCI %1!u!?????Z?_?_?`?`?`?`?Z?Y?^?^?^??????N?????????????????????@machine.inf,%PCISlot%;Gniazdo PCI %1!u!?????[?a?a?a?a?a?`?a???Y???`?`???????c??????????????@machine.inf,%acpi\fixedbutton.devicedesc%;Przycisk ACPI Fixed Feature???????????????8?????????????????????????s????? v?????????????????FSFilter Activity Monitor????w??p???WpdMtpDriver??????????????N????????????D????MBAMSwissArmy Instance????? ---- EOF - GMER 2.2 ----