GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-30 23:30:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500AAKX-001CA0 rev.15.01H15 232,89GB Running: wq9334qb.exe; Driver: C:\Users\Joanna\AppData\Local\Temp\kwrdipow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 000000004a4c0368 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 000000004a4c0360 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 000000004a4c0358 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 000000004a4c02c8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 000000004a4c0370 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 000000004a4c0300 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0xffffffffd3492690} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 000000004a4c02a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 000000004a4c02e8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 000000004a4c02d8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 000000004a4c0280 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 000000004a4c0278 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 000000004a4c0298 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 000000004a4c02f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 000000004a4c0338 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 000000004a4c0308 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 000000004a4c0228 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 000000004a4c0378 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 000000004a4c02e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 000000004a4c0288 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 000000004a4c02b8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 000000004a4c0258 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 000000004a4c0268 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 000000004a4c02f8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 000000004a4c02a8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 000000004a4c0320 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 000000004a4c0230 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 000000004a4c0310 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0xffffffffd3491c90} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 000000004a4c0200 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 000000004a4c0238 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 000000004a4c03d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 000000004a4c03d8 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 000000004a4c0290 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 000000004a4c02c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 000000004a4c0260 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 000000004a4c0270 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 000000004a4c02d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 000000004a4c02b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 000000004a4c0350 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0xffffffffd3491690} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 000000004a4c0328 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 000000004a4c0240 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 000000004a4c0248 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 000000004a4c0318 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 000000004a4c0208 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 000000004a4c0218 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 000000004a4c0210 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 000000004a4c0330 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 000000004a4c0340 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 000000004a4c0220 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 000000004a4c0250 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 000000004a4c0368 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 000000004a4c0360 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 000000004a4c0358 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 000000004a4c02c8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 000000004a4c0370 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 000000004a4c0300 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0xffffffffd3492690} .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 000000004a4c02a0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 000000004a4c02e8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 000000004a4c02d8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 000000004a4c0280 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 000000004a4c0278 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 000000004a4c0298 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 000000004a4c02f0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 000000004a4c0338 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 000000004a4c0308 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 000000004a4c0228 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 000000004a4c0378 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 000000004a4c02e0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 000000004a4c0288 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 000000004a4c02b8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 000000004a4c0258 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 000000004a4c0268 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 000000004a4c02f8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 000000004a4c02a8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 000000004a4c0320 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 000000004a4c0230 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 000000004a4c0310 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0xffffffffd3491c90} .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 000000004a4c0200 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 000000004a4c0238 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 000000004a4c03d0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 000000004a4c03d8 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 000000004a4c0290 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 000000004a4c02c0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 000000004a4c0260 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 000000004a4c0270 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 000000004a4c02d0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 000000004a4c02b0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 000000004a4c0350 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0xffffffffd3491690} .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 000000004a4c0328 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 000000004a4c0240 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 000000004a4c0248 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 000000004a4c0318 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 000000004a4c0208 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 000000004a4c0218 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 000000004a4c0210 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 000000004a4c0330 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 000000004a4c0340 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 000000004a4c0220 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 000000004a4c0250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\System32\svchost.exe[248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\System32\svchost.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\svchost.exe[1036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\Dwm.exe[1420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000000070368 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000000070358 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000000702c8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0xffffffff89042690} .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000000702e8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000000702d8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000000070278 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000000070298 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000000070338 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000000070308 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000000070228 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000000070378 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000000070288 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000000702b8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000000070258 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000000070268 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000000702f8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000000702a8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0xffffffff89041c90} .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000000070238 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000000703d8 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0xffffffff89041690} .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000000070328 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000000070248 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000000070318 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000000070208 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000000070218 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000000070250 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\Explorer.EXE[1648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\System32\svchost.exe[1784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\System32\svchost.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Program Files\OO Software\Defrag\oodag.exe[2000] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076ed90a0 13 bytes {MOV R11, 0x140001400; JMP R11} .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\System32\rundll32.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\taskhost.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\DllHost.exe[2848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\wbem\wmiprvse.exe[2996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\svchost.exe[3556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\system32\taskeng.exe[3668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000077190368 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000077190360 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000077190358 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000771902c8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000077190370 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000077190300 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0x162690} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000771902a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000771902e8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000771902d8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000077190280 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000077190278 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000077190298 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000771902f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000077190338 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000077190308 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000077190228 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000077190378 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000771902e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000077190288 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000771902b8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000077190258 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000077190268 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000771902f8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000771902a8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000077190320 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000077190230 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000077190310 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0x161c90} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000077190200 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000077190238 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000771903d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000771903d8 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000077190290 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000771902c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000077190260 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000077190270 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000771902d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000771902b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000077190350 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0x161690} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000077190328 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000077190240 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000077190248 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000077190318 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000077190208 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000077190218 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000077190210 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000077190330 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000077190340 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000077190220 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000077190250 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000771dfb18 5 bytes JMP 00000000645b34b0 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000771dfc90 5 bytes JMP 00000000645b2830 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000771dfe54 5 bytes JMP 00000000645b26c0 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000771dfee8 5 bytes JMP 00000000645b2c30 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000771dffb4 5 bytes JMP 00000000645b2ae0 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000771e00a8 5 bytes JMP 00000000645b29d0 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000771e07dc 5 bytes JMP 00000000645b2d70 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000771e08b4 5 bytes JMP 00000000645b3000 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000771e095c 5 bytes JMP 00000000645b3290 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000771e10b8 5 bytes JMP 00000000645b2ec0 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000771e1130 5 bytes JMP 00000000645b3150 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000771f909f 5 bytes JMP 00000000645b3420 .text C:\Windows\SysWOW64\cmd.exe[5464] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 00000000772804a5 5 bytes JMP 00000000645b3340 .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752a1401 2 bytes JMP 76a7b21b C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752a1419 2 bytes JMP 76a7b346 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752a1431 2 bytes JMP 76af8fd1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752a144a 2 bytes CALL 76a5489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752a14dd 2 bytes JMP 76af88c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752a14f5 2 bytes JMP 76af8aa0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752a150d 2 bytes JMP 76af87ba C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752a1525 2 bytes JMP 76af8b8a C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752a153d 2 bytes JMP 76a6fca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752a1555 2 bytes JMP 76a768ef C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752a156d 2 bytes JMP 76af9089 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752a1585 2 bytes JMP 76af8bea C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752a159d 2 bytes JMP 76af877e C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752a15b5 2 bytes JMP 76a6fd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752a15cd 2 bytes JMP 76a7b2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752a16b2 2 bytes JMP 76af8f4c C:\Windows\syswow64\kernel32.dll .text C:\Users\Joanna\AppData\Local\Akamai\netsession_win.exe[4000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752a16bd 2 bytes JMP 76af8713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077005110 5 bytes JMP 00000000000205f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007702db40 5 bytes JMP 0000000000020678 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007702dc30 5 bytes JMP 00000000000200a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 0000000000020018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 00000000000203d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 00000000000201b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000000020128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000000020238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 00000000000202c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007702e480 5 bytes JMP 0000000000020348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000000020458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 00000000000204e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5948] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770836f0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077005110 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007702db40 5 bytes JMP 0000000000020678 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007702dc30 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 0000000000020018 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000000020238 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007702e480 5 bytes JMP 0000000000020348 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000000020458 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\AUDIODG.EXE[2964] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000770836f0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007702da60 5 bytes JMP 0000000000070368 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007702dab0 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007702dbe0 5 bytes JMP 0000000000070358 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007702dc10 5 bytes JMP 00000000000702c8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007702dc60 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007702dc70 1 byte JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 2 000000007702dc72 3 bytes {JMP 0xffffffff89042690} .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007702dd20 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007702dd50 5 bytes JMP 00000000000702e8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007702dd70 5 bytes JMP 00000000000702d8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007702ddb0 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007702de30 5 bytes JMP 0000000000070278 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007702de50 5 bytes JMP 0000000000070298 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007702de90 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007702ded0 5 bytes JMP 0000000000070338 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007702dee0 5 bytes JMP 0000000000070308 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007702e040 5 bytes JMP 0000000000070228 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007702e200 5 bytes JMP 0000000000070378 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007702e230 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007702e310 5 bytes JMP 0000000000070288 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007702e320 5 bytes JMP 00000000000702b8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007702e380 5 bytes JMP 0000000000070258 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007702e410 5 bytes JMP 0000000000070268 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007702e430 5 bytes JMP 00000000000702f8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007702e440 5 bytes JMP 00000000000702a8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007702e4b0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007702e4e0 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007702e680 1 byte JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread + 2 000000007702e682 3 bytes {JMP 0xffffffff89041c90} .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007702e7a0 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007702e860 5 bytes JMP 0000000000070238 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007702e890 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007702e8a0 5 bytes JMP 00000000000703d8 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007702e8d0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007702e8e0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007702e940 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007702e990 5 bytes JMP 0000000000070270 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007702e9c0 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007702e9d0 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007702ecc0 1 byte JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 000000007702ecc2 3 bytes {JMP 0xffffffff89041690} .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007702ee20 5 bytes JMP 0000000000070328 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007702eec0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007702eed0 5 bytes JMP 0000000000070248 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007702eee0 5 bytes JMP 0000000000070318 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007702f0a0 5 bytes JMP 0000000000070208 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007702f0b0 5 bytes JMP 0000000000070218 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007702f120 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007702f180 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007702f190 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007702f1a0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[6032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007702f280 5 bytes JMP 0000000000070250 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff88003c9d364] \SystemRoot\system32\drivers\aswSP.sys [unknown section] ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\Google\Update\1.3.30.3\goopdate.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [3836] 0000000070d30000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?2?~?d??????????{36fc9e60-c465-11cf-8056-444553540000}\0006?6.????????????????????????????????????????????6???????????5?????????????????????3?????????????????BTeredo Tunneling Pseudo-Interface????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????BTeredo Tunneling Pseudo-Interface????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14914935983882291@SetupOperations ?????&??as??? ??????????????????????????????N????????L???????????.??37??6.1.7600.16385?F3E???????????6??s8??DiskDrive????????????????????????&??????@disk.inf,%genmanufacturer%;(Standardowe stacje dysk?w)?????????????????????????gendisk?????????????????????????? ?????????????????????0????????????????????? ???????????????????>?0????????????????????????????????????????????????????gendisk?????? ?????????????????????0????????????????????????????????????????????????????????????????????? ???????????????????>?0????????????????????? ?????????????????????0????????????????????? ???????????????????>?0????????????????????????????????????????????????????????????disk.inf:disk_device.NTamd64:disk_install:6.1.7600.16385:gendisk????6.1.7601.17514??????????? ???????@???????????????????? ?????????ra??? ?????????????????????~??H?????????$???????????????????I ???????????g??so??LegacyDriver??????N???????????D??5????????N????????????????A?&?A?&?A?&???&???&???&???&???&???&???&???&?A?&???&???&???&?i?&?w?&?w?&???&???&???&???&???&???&? ---- Files - GMER 2.2 ---- File C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\PeerNetworking\1ab84f29b3b57ae9e47bd56bd6c7c9da8fd89160.HomeGroupClassifier\74b23783b4e55b28c2c53a0e92979455\grouping\edb00226.log 262144 bytes ---- EOF - GMER 2.2 ----