GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-16 19:03:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: j9iftt32.exe; Driver: C:\Users\pc\AppData\Local\Temp\uxldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\System32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0xffffffff88674290} .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[1844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000000070270 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\Dwm.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\Explorer.EXE[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\taskeng.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[4192] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000755f8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[5304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\wbem\wmiprvse.exe[5824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\wbem\wmiprvse.exe[5920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779fbde0 5 bytes JMP 0000000077b60480 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779fbe30 5 bytes JMP 0000000077b60470 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779fbf90 5 bytes JMP 0000000077b60360 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779fbfe0 5 bytes JMP 0000000077b60490 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779fbff0 5 bytes JMP 0000000077b603d0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779fc0a0 5 bytes JMP 0000000077b60310 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779fc0d0 5 bytes JMP 0000000077b603a0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779fc0f0 1 byte JMP 0000000077b60380 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00000000779fc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779fc130 5 bytes JMP 0000000077b602d0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779fc1b0 5 bytes JMP 0000000077b602c0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779fc1d0 5 bytes JMP 0000000077b60300 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779fc210 5 bytes JMP 0000000077b603b0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779fc250 5 bytes JMP 0000000077b60440 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779fc260 5 bytes JMP 0000000077b603e0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779fc3c0 5 bytes JMP 0000000077b60220 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779fc580 5 bytes JMP 0000000077b604a0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779fc5b0 5 bytes JMP 0000000077b60390 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779fc690 5 bytes JMP 0000000077b602e0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779fc6a0 5 bytes JMP 0000000077b60340 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779fc700 5 bytes JMP 0000000077b60280 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779fc790 5 bytes JMP 0000000077b602a0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779fc7b0 5 bytes JMP 0000000077b603c0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779fc7c0 5 bytes JMP 0000000077b60320 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779fc830 5 bytes JMP 0000000077b60410 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779fc860 5 bytes JMP 0000000077b60230 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779fca00 5 bytes JMP 0000000077b603f0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779fcb20 5 bytes JMP 0000000077b601d0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779fcbe0 5 bytes JMP 0000000077b60240 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779fcc10 5 bytes JMP 0000000077b604b0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779fcc20 5 bytes JMP 0000000077b604c0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779fcc50 5 bytes JMP 0000000077b602f0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779fcc60 5 bytes JMP 0000000077b60350 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779fccc0 5 bytes JMP 0000000077b60290 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779fcd10 5 bytes JMP 0000000077b602b0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779fcd40 5 bytes JMP 0000000077b60370 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779fcd50 5 bytes JMP 0000000077b60330 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779fd040 5 bytes JMP 0000000077b60460 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779fd1a0 5 bytes JMP 0000000077b60420 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779fd240 5 bytes JMP 0000000077b60250 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779fd250 5 bytes JMP 0000000077b60260 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779fd260 5 bytes JMP 0000000077b60400 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779fd420 5 bytes JMP 0000000077b601e0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779fd430 5 bytes JMP 0000000077b60200 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779fd4a0 5 bytes JMP 0000000077b601f0 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779fd500 5 bytes JMP 0000000077b60430 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779fd510 5 bytes JMP 0000000077b60450 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779fd520 5 bytes JMP 0000000077b60210 .text C:\Windows\System32\svchost.exe[3628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779fd600 5 bytes JMP 0000000077b60270 ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [452:1080] 000007fefb4df304 Thread C:\Windows\System32\svchost.exe [452:1096] 000007fefbaa6204 Thread C:\Windows\System32\svchost.exe [452:1212] 000007fefaa55428 Thread C:\Windows\System32\svchost.exe [452:5724] 000007feec6b6b8c Thread C:\Windows\System32\svchost.exe [452:780] 000007feec6b1d88 Thread C:\Windows\System32\svchost.exe [452:6280] 000007fefab12070 Thread C:\Windows\System32\svchost.exe [536:3584] 000007fef8ee44d0 Thread C:\Windows\System32\svchost.exe [536:5316] 000007feed3120c0 Thread C:\Windows\System32\svchost.exe [536:5344] 000007feed3126a8 Thread C:\Windows\System32\svchost.exe [536:5348] 000007feec5114a0 Thread C:\Windows\System32\svchost.exe [536:5352] 000007feed3129dc Thread C:\Windows\System32\svchost.exe [536:2252] 000007fef91489a8 Thread C:\Windows\system32\svchost.exe [112:668] 000007fef484506c Thread C:\Windows\system32\svchost.exe [112:3560] 000007fef1861c20 Thread C:\Windows\system32\svchost.exe [112:5092] 000007fef1861c20 Thread C:\Windows\system32\svchost.exe [112:3852] 000007fef9125124 Thread C:\Windows\system32\svchost.exe [112:6548] 000007feec6f84d8 Thread C:\Windows\system32\svchost.exe [112:4532] 000007feeb8b23a8 Thread C:\Windows\system32\svchost.exe [112:1456] 000007feeb4d0d00 Thread C:\Windows\system32\svchost.exe [112:6916] 000007feeb3b9498 Thread C:\Windows\System32\spoolsv.exe [1508:3012] 0000000000279500 Thread C:\Windows\System32\spoolsv.exe [1508:3024] 000007fef5af10c8 Thread C:\Windows\System32\spoolsv.exe [1508:3040] 000007fef5ab6144 Thread C:\Windows\System32\spoolsv.exe [1508:3044] 000007fef58a5fd0 Thread C:\Windows\System32\spoolsv.exe [1508:3048] 000007fef5893438 Thread C:\Windows\System32\spoolsv.exe [1508:3052] 000007fef58a63ec Thread C:\Windows\System32\spoolsv.exe [1508:3060] 000007fef5eb5e5c Thread C:\Windows\System32\spoolsv.exe [1508:2064] 000007fef5f65060 Thread C:\Windows\system32\taskhost.exe [2888:2968] 000007fef5c01f38 Thread C:\Windows\system32\taskhost.exe [2888:2972] 000007fef5ba2740 Thread C:\Windows\system32\taskhost.exe [2888:2980] 000007fefaf81010 Thread C:\Windows\system32\taskhost.exe [2888:2308] 000007fef5c45170 Thread C:\Windows\system32\Dwm.exe [3028:2396] 000007fef56ff110 Thread C:\Windows\system32\Dwm.exe [3028:2436] 000007fef4b2abf0 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:4160] 0000000076e87587 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:4240] 0000000077bdf523 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:4396] 000000006d844cab Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:4408] 000000006d856471 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:6836] 0000000076b8d784 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:6844] 0000000077be046c Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1424:6620] 0000000077be046c Thread C:\Windows\System32\svchost.exe [3628:7220] 000007fee7319688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????o??????????????????????????9 ???????????,???????????????.???????????????????h??????oo??%SystemRoot%\system32\wpdshext.dll,-701??a???????????r??gh???$???????o???????????????????l??????????disk.inf???????????????????e??????B??????n???????n??????????????????????????F2???????????6??Mi????*??????n?????????n?-???$???????e???????????????????f???????????b??????%SystemRoot%\system32\wpdshext.dll,-701?????v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=%PROGRAMFILES%\Windows Media Player\wmplayer.exe|Name=@FirewallAPI.dll,-31293|Desc=@FirewallAPI.dll,-31296|EmbedCtxt=@FirewallAPI.dll,-31252|??=??v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=%PROGRAMFILES%\Windows Media Player\wmplayer.exe|Name=@FirewallAPI.dll,-31297|Desc=@FirewallAPI.dll,-31300|EmbedCtxt=@FirewallAPI.dll,-31252|????v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=%PROGRAMFILES%\Window Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14923443932682291@SetupOperations ????????H???????????????????????????????????????H?????????????????????????????????????????H?????????????????????????H???????????????????????????????????????Virtual WiFi Filter Driver???????m?m?n?n?n???n???n??system32\drivers\Wdf01000.sys?????6????????????n????@%systemroot%\system32\rascfg.dll,-32012??????????????????????????????????????????????P??????????????d???????????d????????t???????????t??d??Microsoft Windows Management Interface for ACPI?????acpi.inf_amd64_neutral_2a841284c9de8962??????n?n?n?n?n?n???n96??WmiApRpl.ini?????????????????????????????????????????n?n?n?n?r???n???????????????????|???d??? ???????????????????o?0????????????????????? ??????????????????6.1.7601.19144??????????????????????????????????USB????????????????????????????????e????15466 15472 15484 15494 15504 15524 15568 15578 15616 15622 15638???system32\drivers\WudfPf.sys?????255.255.255.0??.sy???????????5???????s??1D???????????F??????????2-??multi(0)disk(0)rdisk(0)partition(1)????????? ???????????????????????????????????p?? ????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6@90cf153441b6 0xB3 0xB3 0x9F 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6@e063e533d242 0xB4 0xB3 0x41 0x9D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6@940070eed060 0x0E 0xFD 0xCA 0xCF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6@f8a9d0a412c2 0x38 0xA9 0x1D 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6@0c48858cf2b0 0xB1 0x48 0xFB 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2b62e9c6@848edf7a9f1b 0xF7 0x7C 0x1A 0x63 ... ---- EOF - GMER 2.2 ----