GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-28 07:35:01 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: 6dzzrsyh.exe; Driver: C:\Users\xxx\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000049c70480 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000049c70470 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000049c70360 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000049c70490 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 0000000049c703d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000049c70310 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0xffffffffd273ec90} .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 0000000049c703a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000049c70380 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 0000000049c702d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 0000000049c702c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000049c70300 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 0000000049c703b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000049c70440 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 0000000049c703e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000049c70220 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 0000000049c704a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000049c70390 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 0000000049c702e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000049c70340 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000049c70280 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 0000000049c702a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 0000000049c703c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000049c70320 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000049c70410 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000049c70230 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 0000000049c703f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 0000000049c701d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000049c70240 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 0000000049c704b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 0000000049c704c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 0000000049c702f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000049c70350 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000049c70290 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 0000000049c702b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000049c70370 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000049c70330 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000049c70460 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000049c70420 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000049c70250 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000049c70260 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000049c70400 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 0000000049c701e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000049c70200 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 0000000049c701f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000049c70430 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000049c70450 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000049c70210 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000049c70270 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0xffffffffd273d690} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\svchost.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\svchost.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\Explorer.EXE[1436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0xffffffff88b3ec90} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0xffffffff88b3d690} .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Program Files\AVAST Software\Avast\avastui.exe[2884] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768687c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\wbem\wmiprvse.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000000060480 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000000060470 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000000060360 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000000060490 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000000603d0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000000060310 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0xffffffff88b2ec90} .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000000603a0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000000060380 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000000602d0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000000602c0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000000060300 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000000603b0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000000060440 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000000603e0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000000060220 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000000604a0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000000060390 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000000602e0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000000060340 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000000060280 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000000602a0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000000603c0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000000060320 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000000060410 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000000060230 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000000603f0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000000601d0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000000060240 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000000604b0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000000604c0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000000602f0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000000060350 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000000060290 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000000602b0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000000060370 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000000060330 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000000060460 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000000060420 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000000060250 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000000060260 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000000060400 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000000601e0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000000060200 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000000601f0 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000000060430 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000000060450 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000000060210 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000000060270 .text C:\Windows\system32\taskhost.exe[1088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0xffffffff88b2d690} .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000775313c0 5 bytes JMP 0000000077690480 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077531410 5 bytes JMP 0000000077690470 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077531570 5 bytes JMP 0000000077690360 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000775315c0 5 bytes JMP 0000000077690490 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000775315d0 5 bytes JMP 00000000776903d0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077531680 1 byte JMP 0000000077690310 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 0000000077531682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000775316b0 5 bytes JMP 00000000776903a0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000775316d0 5 bytes JMP 0000000077690380 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077531710 5 bytes JMP 00000000776902d0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077531790 5 bytes JMP 00000000776902c0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000775317b0 5 bytes JMP 0000000077690300 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000775317f0 5 bytes JMP 00000000776903b0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077531830 5 bytes JMP 0000000077690440 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077531840 5 bytes JMP 00000000776903e0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000775319a0 5 bytes JMP 0000000077690220 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077531b60 5 bytes JMP 00000000776904a0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077531b90 5 bytes JMP 0000000077690390 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077531c70 5 bytes JMP 00000000776902e0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077531c80 5 bytes JMP 0000000077690340 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077531ce0 5 bytes JMP 0000000077690280 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077531d70 5 bytes JMP 00000000776902a0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077531d90 5 bytes JMP 00000000776903c0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077531da0 5 bytes JMP 0000000077690320 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077531e10 5 bytes JMP 0000000077690410 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077531e40 5 bytes JMP 0000000077690230 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077531fe0 5 bytes JMP 00000000776903f0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077532100 5 bytes JMP 00000000776901d0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000775321c0 5 bytes JMP 0000000077690240 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000775321f0 5 bytes JMP 00000000776904b0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077532200 5 bytes JMP 00000000776904c0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077532230 5 bytes JMP 00000000776902f0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077532240 5 bytes JMP 0000000077690350 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000775322a0 5 bytes JMP 0000000077690290 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000775322f0 5 bytes JMP 00000000776902b0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077532320 5 bytes JMP 0000000077690370 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077532330 5 bytes JMP 0000000077690330 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077532620 5 bytes JMP 0000000077690460 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077532780 5 bytes JMP 0000000077690420 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077532820 5 bytes JMP 0000000077690250 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077532830 5 bytes JMP 0000000077690260 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077532840 5 bytes JMP 0000000077690400 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077532a00 5 bytes JMP 00000000776901e0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077532a10 5 bytes JMP 0000000077690200 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077532a80 5 bytes JMP 00000000776901f0 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077532ae0 5 bytes JMP 0000000077690430 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077532af0 5 bytes JMP 0000000077690450 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077532b00 5 bytes JMP 0000000077690210 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077532be0 1 byte JMP 0000000077690270 .text C:\Windows\system32\AUDIODG.EXE[2776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 0000000077532be2 3 bytes {JMP 0x15d690} ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [448:3552] 000007fef376506c Thread C:\Windows\system32\svchost.exe [448:3556] 000007fefafb1c20 Thread C:\Windows\system32\svchost.exe [448:3568] 000007fefafb1c20 Thread C:\Windows\system32\svchost.exe [448:4464] 000007fef79717f8 Thread C:\Windows\system32\svchost.exe [448:4808] 000007fef79717f8 Thread C:\Windows\system32\svchost.exe [448:3440] 000007fef8565124 Thread C:\Windows\system32\svchost.exe [448:744] 000007fefba54164 Thread C:\Windows\system32\svchost.exe [448:3448] 000007fef6e11ab0 Thread C:\Windows\system32\svchost.exe [448:2660] 000007fef823b68c ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\acd1b8ea01aa Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\acd1b8ea01aa (not active ControlSet) ---- EOF - GMER 2.2 ----