GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-11 15:54:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AZRX-00A8LB0 rev.01.01A01 465,76GB Running: evdsjvi5.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff960000e5b20 8 bytes [D0, B4, 12, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000115600 7 bytes [00, 66, F3, FF, 41, 70, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000115608 3 bytes [C0, 06, 02] .text ... * 107 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 468 fffff960001dd8c8 6 bytes {JMP QWORD [RIP-0xc3976]} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\lsm.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0xffffffff88522490} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0xffffffff88521e90} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0xffffffff88521f90} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0xffffffff88522490} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0xffffffff88521e90} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0xffffffff88521f90} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\taskhost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\system32\Dwm.exe[1688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\Explorer.EXE[1720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000077cb0480 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000077cb0470 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000077cb0360 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000077cb0490 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 0000000077cb03d0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000077cb0310 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 0000000077cb03a0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000077cb0380 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 0000000077cb02d0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 0000000077cb02c0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000077cb0300 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 0000000077cb03b0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000077cb0440 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 0000000077cb03e0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000077cb0220 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 0000000077cb04a0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000077cb0390 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 0000000077cb02e0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000077cb0340 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000077cb0280 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 0000000077cb02a0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 0000000077cb03c0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000077cb0320 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000077cb0410 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000077cb0230 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 0000000077cb03f0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 0000000077cb01d0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000077cb0240 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 0000000077cb04b0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 0000000077cb04c0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 0000000077cb02f0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000077cb0350 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000077cb0290 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 0000000077cb02b0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000077cb0370 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000077cb0330 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000077cb0460 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000077cb0420 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000077cb0250 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000077cb0260 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000077cb0400 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 0000000077cb01e0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000077cb0200 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 0000000077cb01f0 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000077cb0430 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000077cb0450 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000077cb0210 .text C:\Windows\System32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000077cb0270 .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076031401 2 bytes JMP 7588b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076031419 2 bytes JMP 7588b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076031431 2 bytes JMP 75909011 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007603144a 2 bytes CALL 758648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760314dd 2 bytes JMP 7590890a C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760314f5 2 bytes JMP 75908ae0 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007603150d 2 bytes JMP 75908800 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076031525 2 bytes JMP 75908bca C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007603153d 2 bytes JMP 7587fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076031555 2 bytes JMP 75886907 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007603156d 2 bytes JMP 759090c9 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076031585 2 bytes JMP 75908c2a C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007603159d 2 bytes JMP 759087c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760315b5 2 bytes JMP 7587fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760315cd 2 bytes JMP 7588b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760316b2 2 bytes JMP 75908f8c C:\Windows\syswow64\kernel32.dll .text C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe[2900] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760316bd 2 bytes JMP 75908759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075868791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076031401 2 bytes JMP 7588b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076031419 2 bytes JMP 7588b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076031431 2 bytes JMP 75909011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007603144a 2 bytes CALL 758648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760314dd 2 bytes JMP 7590890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760314f5 2 bytes JMP 75908ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007603150d 2 bytes JMP 75908800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076031525 2 bytes JMP 75908bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007603153d 2 bytes JMP 7587fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076031555 2 bytes JMP 75886907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007603156d 2 bytes JMP 759090c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076031585 2 bytes JMP 75908c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007603159d 2 bytes JMP 759087c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760315b5 2 bytes JMP 7587fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760315cd 2 bytes JMP 7588b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760316b2 2 bytes JMP 75908f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2460] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760316bd 2 bytes JMP 75908759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076031401 2 bytes JMP 7588b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076031419 2 bytes JMP 7588b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076031431 2 bytes JMP 75909011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007603144a 2 bytes CALL 758648ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000760314dd 2 bytes JMP 7590890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000760314f5 2 bytes JMP 75908ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007603150d 2 bytes JMP 75908800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076031525 2 bytes JMP 75908bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007603153d 2 bytes JMP 7587fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076031555 2 bytes JMP 75886907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007603156d 2 bytes JMP 759090c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076031585 2 bytes JMP 75908c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007603159d 2 bytes JMP 759087c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000760315b5 2 bytes JMP 7587fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000760315cd 2 bytes JMP 7588b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000760316b2 2 bytes JMP 75908f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000760316bd 2 bytes JMP 75908759 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0xffffffff88522490} .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0xffffffff88521e90} .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0xffffffff88521f90} .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\wbem\wmiprvse.exe[1768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000000070270 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b4da60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b4dab0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077b4dc10 5 bytes JMP 0000000000070360 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b4dc60 5 bytes JMP 0000000000070490 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b4dc70 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b4dd20 5 bytes JMP 0000000000070310 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b4dd50 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077b4dd70 5 bytes JMP 0000000000070380 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b4ddb0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b4de30 1 byte JMP 00000000000702c0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000077b4de32 3 bytes {JMP 0xffffffff88522490} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b4de50 5 bytes JMP 0000000000070300 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b4de90 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077b4ded0 5 bytes JMP 0000000000070440 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b4dee0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b4e040 5 bytes JMP 0000000000070220 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b4e200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b4e230 5 bytes JMP 0000000000070390 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b4e310 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b4e320 5 bytes JMP 0000000000070340 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b4e380 5 bytes JMP 0000000000070280 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b4e410 1 byte JMP 00000000000702a0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000077b4e412 3 bytes {JMP 0xffffffff88521e90} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b4e430 1 byte JMP 00000000000703c0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000077b4e432 3 bytes {JMP 0xffffffff88521f90} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b4e440 5 bytes JMP 0000000000070320 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b4e4b0 5 bytes JMP 0000000000070410 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b4e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000077b4e680 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b4e7a0 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b4e860 5 bytes JMP 0000000000070240 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b4e890 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b4e8a0 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b4e8d0 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b4e8e0 5 bytes JMP 0000000000070350 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b4e940 5 bytes JMP 0000000000070290 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b4e990 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077b4e9c0 5 bytes JMP 0000000000070370 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b4e9d0 5 bytes JMP 0000000000070330 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b4ecc0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000077b4ee20 5 bytes JMP 0000000000070420 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b4eec0 1 byte JMP 0000000000070250 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000077b4eec2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b4eed0 1 byte JMP 0000000000070260 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000077b4eed2 3 bytes {JMP 0xffffffff88521390} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b4eee0 5 bytes JMP 0000000000070400 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b4f0a0 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b4f0b0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b4f120 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b4f180 5 bytes JMP 0000000000070430 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b4f190 5 bytes JMP 0000000000070450 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b4f1a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b4f280 5 bytes JMP 0000000000070270 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14682656504692272@SetupOperations ??????????????????????????????????V?????????????????? ?????????????????????,???????????????????????.?.??????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ???>?g??G??HJ???F???????????????g???g???g???????????????????????g???g???????????????????F???????F?????????????????? ??????????????????? ????g?????? ?????????????????? ?????????????????????0????????????&???????????????????????? ?????????????????????0??L????????? ???????????????#????????????T??????????????????? ?????????????????????0????????????&???????????????????????6.1.7600.16385???????????????????????????@??????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ????M???H??HJ???0???????????????????????????????????????????????????????????????????????0?????????????????????????? ????O???O?????????? ??????????? ????????????O????????$???4????? ??????? ???????????????????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14682657380482272@SetupOperations ?????.??@machine.inf,%PCISlot%;Gniazdo PCI %1!u!????????oi???????????????????????????????????m???????????????????????????U???????t??? ???????????????????????????????$???????h???????????????????U??USBSTOR_BULK?T???????????t?? A???????????????????????????w???!???????w?????????????????w?w??oem73.inf???????????LocalSystem????????????????4???????????????????? ????~??? ???????U?????e?.??{8ECC055D-047F-11D1-A537-0000F8753ED1}???1??? ???????}??????????? ???????p?????n??????????(????????? ???????10??????????????????????????????? ???????????????????z?0????????????????????? ?????????????????????0????????????????????? ???????????????????z?0????????????????????????????? ?????????????????????0????????????????????? ???????????????????z?0????????????????????????????@usbstor.inf,%generic.mfg%;Zgodne urz?dzenie magazynuj?ce USB???? ?????????????????????0????????????????????? ???????????????????z?0????????B???????????????????? ?????????????????????0????????????????????????????????????????????????????????????????????? ????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14682656504692272@SetupOperations ?????\???????????????????????????????I???????????????????????????????????????????????????????d???????s???????????m??????????k???00000512????? ?????????????????????*????????????&???????????????????????? ?????????????????????*????????????&????????????????????n??@usbstor.inf,%generic.mfg%;Zgodne urz?dzenie magazynuj?ce USB???{36fc9e60-c465-11cf-8056-444553540000}\0038?????\??\USB#VID_0E8F&PID_0022#5&21616667&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}&?'??usb.inf:Generic.Section.NTamd64:Composite.Dev:6.1.7601.18328:usb\composite? AC??{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\0037??i??input.inf:Standard.NTamd64:HID_Inst:6.1.7601.18199::generic_hid_device:usb\class_03&subclass_01:usb\class_03????@usbstor.inf,%generic.mfg%;Zgodne urz?dzenie magazynuj?ce USB???\??\USB#VID_258A&PID_0001#5&21616667&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}|Ap???????????????????????????i???&???????c???????????????????x??????????????????????????@%systemroot%\system32\drivers\mup.sys,-101???0?WtfEngineDrv Service?s??enum??????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14682657380482272@SetupOperations ????????.NT?le??@%systemroot%\system32\drivers\afd.sys,-1000?????????????????????????