GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-19 14:50:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BPKX-22HPJT0 rev.01.01A01 465,76GB Running: hdtd8roo.exe; Driver: C:\Users\Kasia\AppData\Local\Temp\pxldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000049be0480 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000049be0470 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000049be0360 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000049be0490 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000049be03d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000049be0310 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0xffffffffd21fec90} .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000049be03a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000049be0380 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000049be02d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000049be02c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000049be0300 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000049be03b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000049be0440 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000049be03e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000049be0220 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000049be04a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000049be0390 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000049be02e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000049be0340 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000049be0280 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000049be02a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000049be03c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000049be0320 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000049be0410 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000049be0230 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000049be03f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000049be01d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000049be0240 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000049be04b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000049be04c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000049be02f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000049be0350 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000049be0290 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000049be02b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000049be0370 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000049be0330 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000049be0460 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000049be0420 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000049be0250 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000049be0260 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000049be0400 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000049be01e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000049be0200 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000049be01f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000049be0430 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000049be0450 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000049be0210 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000049be0270 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0xffffffffd21fd690} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000049be0480 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000049be0470 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000049be0360 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000049be0490 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000049be03d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000049be0310 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0xffffffffd21fec90} .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000049be03a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000049be0380 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000049be02d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000049be02c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000049be0300 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000049be03b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000049be0440 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000049be03e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000049be0220 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000049be04a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000049be0390 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000049be02e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000049be0340 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000049be0280 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000049be02a0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000049be03c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000049be0320 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000049be0410 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000049be0230 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000049be03f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000049be01d0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000049be0240 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000049be04b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000049be04c0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000049be02f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000049be0350 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000049be0290 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000049be02b0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000049be0370 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000049be0330 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000049be0460 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000049be0420 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000049be0250 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000049be0260 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000049be0400 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000049be01e0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000049be0200 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000049be01f0 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000049be0430 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000049be0450 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000049be0210 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000049be0270 .text C:\Windows\system32\csrss.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0xffffffffd21fd690} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000000070310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0xffffffff8868ec90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0xffffffff8868d690} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0xffffffff8868ec90} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0xffffffff8868d690} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\System32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1636] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076cc87c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\svchost.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\system32\taskhost.exe[2528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000000070470 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000000070360 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000000070310 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0xffffffff8868ec90} .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000000070380 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000000070440 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000000070390 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000000070340 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000000070230 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000000070350 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000000070370 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000000070330 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000000070460 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000000070420 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000000070250 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000000070260 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000000070200 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000000070450 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000000070210 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000000070270 .text C:\Windows\system32\Dwm.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0xffffffff8868d690} .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\Explorer.EXE[2600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Program Files (x86)\Bluestacks\HD-Agent.exe[1932] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Bluestacks\HD-Agent.exe[1932] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[4304] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[4304] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4540] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076cc87c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[4580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779e13c0 5 bytes JMP 0000000077b40480 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779e1410 5 bytes JMP 0000000077b40470 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779e1570 5 bytes JMP 0000000077b40360 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779e15c0 5 bytes JMP 0000000077b40490 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779e15d0 5 bytes JMP 0000000077b403d0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779e1680 1 byte JMP 0000000077b40310 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 2 00000000779e1682 3 bytes {JMP 0x15ec90} .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779e16b0 5 bytes JMP 0000000077b403a0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779e16d0 5 bytes JMP 0000000077b40380 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779e1710 5 bytes JMP 0000000077b402d0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779e1790 5 bytes JMP 0000000077b402c0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779e17b0 5 bytes JMP 0000000077b40300 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779e17f0 5 bytes JMP 0000000077b403b0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000779e1830 5 bytes JMP 0000000077b40440 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779e1840 5 bytes JMP 0000000077b403e0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779e19a0 5 bytes JMP 0000000077b40220 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779e1b60 5 bytes JMP 0000000077b404a0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779e1b90 5 bytes JMP 0000000077b40390 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779e1c70 5 bytes JMP 0000000077b402e0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779e1c80 5 bytes JMP 0000000077b40340 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779e1ce0 5 bytes JMP 0000000077b40280 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779e1d70 5 bytes JMP 0000000077b402a0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779e1d90 5 bytes JMP 0000000077b403c0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779e1da0 5 bytes JMP 0000000077b40320 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779e1e10 5 bytes JMP 0000000077b40410 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779e1e40 5 bytes JMP 0000000077b40230 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000779e1fe0 5 bytes JMP 0000000077b403f0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779e2100 5 bytes JMP 0000000077b401d0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779e21c0 5 bytes JMP 0000000077b40240 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779e21f0 5 bytes JMP 0000000077b404b0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779e2200 5 bytes JMP 0000000077b404c0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779e2230 5 bytes JMP 0000000077b402f0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779e2240 5 bytes JMP 0000000077b40350 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779e22a0 5 bytes JMP 0000000077b40290 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779e22f0 5 bytes JMP 0000000077b402b0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779e2320 5 bytes JMP 0000000077b40370 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779e2330 5 bytes JMP 0000000077b40330 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779e2620 5 bytes JMP 0000000077b40460 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000779e2780 5 bytes JMP 0000000077b40420 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779e2820 5 bytes JMP 0000000077b40250 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779e2830 5 bytes JMP 0000000077b40260 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779e2840 5 bytes JMP 0000000077b40400 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779e2a00 5 bytes JMP 0000000077b401e0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779e2a10 5 bytes JMP 0000000077b40200 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779e2a80 5 bytes JMP 0000000077b401f0 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779e2ae0 5 bytes JMP 0000000077b40430 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779e2af0 5 bytes JMP 0000000077b40450 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779e2b00 5 bytes JMP 0000000077b40210 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779e2be0 1 byte JMP 0000000077b40270 .text C:\Windows\System32\svchost.exe[5472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 2 00000000779e2be2 3 bytes {JMP 0x15d690} .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bac43a 5 bytes JMP 000000006f1101f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bb11d7 5 bytes JMP 000000006f1103fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8a29 5 bytes JMP 000000006bee3834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076eccbf3 5 bytes JMP 000000006c01dcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076eccfca 5 bytes JMP 000000006be17f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076eecb0c 5 bytes JMP 000000006c01dc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076eece64 5 bytes JMP 000000006c01dd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076effbd1 5 bytes JMP 000000006c01dc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076effc9d 5 bytes JMP 000000006c01db9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076effcd6 5 bytes JMP 000000006c01db3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076effcfa 5 bytes JMP 000000006c01dadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000777393fc 5 bytes JMP 000000006c01e83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007272388e 5 bytes JMP 000000006c01f282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000727c7922 5 bytes JMP 000000006c01f323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3312] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076ab2694 5 bytes JMP 000000006c01ea33 ? C:\Windows\System32\NLSData0000.dll [3312] entry point in ".rdata" section 00000000675dc541 ? C:\Windows\system32\mssprxy.dll [3312] entry point in ".rdata" section 000000006e7171e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bac43a 5 bytes JMP 00000000549d01f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bb11d7 5 bytes JMP 00000000549d03fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8a29 5 bytes JMP 000000006bee3834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076eb291f 5 bytes JMP 000000006be10f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076eb2da4 5 bytes JMP 000000006be0a855 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076eb6285 5 bytes JMP 000000006be53c96 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 000000006bea7df9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 0000000076ebb029 5 bytes JMP 000000006c01e9c5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 0000000076ebc63e 5 bytes JMP 000000006c01e9fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!IsDialogMessage 0000000076ec50ed 5 bytes JMP 000000006c01e191 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076ec5246 5 bytes JMP 000000006c01e957 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!EndDialog 0000000076ecb99c 5 bytes JMP 000000006be0b000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 0000000076ecc701 5 bytes JMP 000000006be0adae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076eccbf3 5 bytes JMP 000000006c01dcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076eccfca 5 bytes JMP 000000006be17f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076eceb96 5 bytes JMP 000000006be0b202 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 000000006bf0d963 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!SendInput 0000000076ecff4a 5 bytes JMP 000000006c01f11c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 0000000076ed10dc 5 bytes JMP 000000006c01e98e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!SetKeyboardState 0000000076ed14b2 5 bytes JMP 000000006c01e4f6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076ee9cfd 5 bytes JMP 000000006c01f174 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076eecb0c 5 bytes JMP 000000006c01dc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076eece64 5 bytes JMP 000000006c01dd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076effbd1 5 bytes JMP 000000006c01dc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076effc9d 5 bytes JMP 000000006c01db9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076effcd6 5 bytes JMP 000000006c01db3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076effcfa 5 bytes JMP 000000006c01dadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f002bf 5 bytes JMP 000000006c01f4a7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076946143 5 bytes JMP 000000006c01e036 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076989d0b 5 bytes JMP 000000006bee33c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000776d3e59 5 bytes JMP 000000006befd8fb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000776d3eae 5 bytes JMP 000000006befe408 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000776d4731 5 bytes JMP 000000006c01ec33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000776d5dee 5 bytes JMP 000000006c01ec7e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000777393fc 5 bytes JMP 000000006c01e83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007272388e 5 bytes JMP 000000006c01f282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000727c7922 5 bytes JMP 000000006c01f323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 0000000076aa33a3 5 bytes JMP 000000006c01eacd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4388] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076ab2694 5 bytes JMP 000000006c01ea33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bac43a 5 bytes JMP 000000005c4e01f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bb11d7 5 bytes JMP 000000005c4e03fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8a29 5 bytes JMP 000000006bee3834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076eb291f 5 bytes JMP 000000006be10f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076eb2da4 5 bytes JMP 000000006be0a855 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076eb6285 5 bytes JMP 000000006be53c96 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 000000006bea7df9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 0000000076ebb029 5 bytes JMP 000000006c01e9c5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 0000000076ebc63e 5 bytes JMP 000000006c01e9fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!IsDialogMessage 0000000076ec50ed 5 bytes JMP 000000006c01e191 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076ec5246 5 bytes JMP 000000006c01e957 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!EndDialog 0000000076ecb99c 5 bytes JMP 000000006be0b000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 0000000076ecc701 5 bytes JMP 000000006be0adae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076eccbf3 5 bytes JMP 000000006c01dcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076eccfca 5 bytes JMP 000000006be17f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076eceb96 5 bytes JMP 000000006be0b202 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 000000006bf0d963 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!SendInput 0000000076ecff4a 5 bytes JMP 000000006c01f11c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 0000000076ed10dc 5 bytes JMP 000000006c01e98e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!SetKeyboardState 0000000076ed14b2 5 bytes JMP 000000006c01e4f6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076ee9cfd 5 bytes JMP 000000006c01f174 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076eecb0c 5 bytes JMP 000000006c01dc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076eece64 5 bytes JMP 000000006c01dd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076effbd1 5 bytes JMP 000000006c01dc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076effc9d 5 bytes JMP 000000006c01db9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076effcd6 5 bytes JMP 000000006c01db3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076effcfa 5 bytes JMP 000000006c01dadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f002bf 5 bytes JMP 000000006c01f4a7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076946143 5 bytes JMP 000000006c01e036 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076989d0b 5 bytes JMP 000000006bee33c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000776d3e59 5 bytes JMP 000000006befd8fb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000776d3eae 5 bytes JMP 000000006befe408 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000776d4731 5 bytes JMP 000000006c01ec33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000776d5dee 5 bytes JMP 000000006c01ec7e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000777393fc 5 bytes JMP 000000006c01e83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007272388e 5 bytes JMP 000000006c01f282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000727c7922 5 bytes JMP 000000006c01f323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 0000000076aa33a3 5 bytes JMP 000000006c01eacd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4924] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076ab2694 5 bytes JMP 000000006c01ea33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077bac43a 5 bytes JMP 0000000066ce01f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bb11d7 5 bytes JMP 0000000066ce03fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076ea8a29 5 bytes JMP 000000006bee3834 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000076eb291f 5 bytes JMP 000000006be10f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076eb2da4 5 bytes JMP 000000006be0a855 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076eb6285 5 bytes JMP 000000006be53c96 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076eb7603 5 bytes JMP 000000006bea7df9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 0000000076ebb029 5 bytes JMP 000000006c01e9c5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 0000000076ebc63e 5 bytes JMP 000000006c01e9fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!IsDialogMessage 0000000076ec50ed 5 bytes JMP 000000006c01e191 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076ec5246 5 bytes JMP 000000006c01e957 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!EndDialog 0000000076ecb99c 5 bytes JMP 000000006be0b000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 0000000076ecc701 5 bytes JMP 000000006be0adae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076eccbf3 5 bytes JMP 000000006c01dcd8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076eccfca 5 bytes JMP 000000006be17f59 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000076eceb96 5 bytes JMP 000000006be0b202 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076ecf52b 5 bytes JMP 000000006bf0d963 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!SendInput 0000000076ecff4a 5 bytes JMP 000000006c01f11c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 0000000076ed10dc 5 bytes JMP 000000006c01e98e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!SetKeyboardState 0000000076ed14b2 5 bytes JMP 000000006c01e4f6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076ee9cfd 5 bytes JMP 000000006c01f174 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076eecb0c 5 bytes JMP 000000006c01dc75 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076eece64 5 bytes JMP 000000006c01dd3b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076effbd1 5 bytes JMP 000000006c01dc0a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076effc9d 5 bytes JMP 000000006c01db9f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076effcd6 5 bytes JMP 000000006c01db3d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076effcfa 5 bytes JMP 000000006c01dadb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\USER32.dll!keybd_event 0000000076f002bf 5 bytes JMP 000000006c01f4a7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076946143 5 bytes JMP 000000006c01e036 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076989d0b 5 bytes JMP 000000006bee33c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000776d3e59 5 bytes JMP 000000006befd8fb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000776d3eae 5 bytes JMP 000000006befe408 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000776d4731 5 bytes JMP 000000006c01ec33 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000776d5dee 5 bytes JMP 000000006c01ec7e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000777393fc 5 bytes JMP 000000006c01e83a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007272388e 5 bytes JMP 000000006c01f282 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000727c7922 5 bytes JMP 000000006c01f323 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 0000000076aa33a3 5 bytes JMP 000000006c01eacd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4784] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076ab2694 5 bytes JMP 000000006c01ea33 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18@fcc7343378db 0x53 0x42 0xD7 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18@e063e53b249c 0x80 0x22 0xEA 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18@201402003210 0x7A 0xB2 0x73 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18@78923e35e81e 0x09 0xC1 0x77 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18@8cbfa6345a18 0xB0 0x37 0x13 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab79a18@4dff276c67be 0xD2 0xEE 0x1A 0xC7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18@fcc7343378db 0x53 0x42 0xD7 0xE4 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18@e063e53b249c 0x80 0x22 0xEA 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18@201402003210 0x7A 0xB2 0x73 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18@78923e35e81e 0x09 0xC1 0x77 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18@8cbfa6345a18 0xB0 0x37 0x13 0xF1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab79a18@4dff276c67be 0xD2 0xEE 0x1A 0xC7 ... ---- EOF - GMER 2.2 ----