GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-17 15:19:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK6459GSXP rev.GT001H 596,17GB Running: rmq2tm48.exe; Driver: C:\Users\Karina\AppData\Local\Temp\kwrdapog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\System32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000000070368 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000000070358 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000000702c8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0xffffffff88f54390} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000000702e8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000000702d8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000000070278 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000000070298 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000000070338 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000000070308 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000000070228 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000000070378 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000000070288 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000000702b8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000000070258 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000000070268 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000000702f8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000000702a8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000000070238 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000000703d8 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0xffffffff88f53590} .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000000070328 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000000070248 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000000070318 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000000070208 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000000070218 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\System32\svchost.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[1472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\taskhost.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\wbem\wmiprvse.exe[3676] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\wbem\wmiprvse.exe[3708] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000000070368 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000000070360 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000000070358 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000000702c8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000000070370 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0xffffffff88f54390} .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000000702e8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000000702d8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000000070280 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000000070278 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000000070298 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000000070338 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000000070308 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000000070228 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000000070378 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000000070288 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000000702b8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000000070258 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000000070268 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000000702f8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000000702a8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000000070320 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000000070230 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000000070310 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000000070200 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000000070238 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000000703d8 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000000070290 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000000070260 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000000070270 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000000702d0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0xffffffff88f53590} .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000000070350 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000000070328 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000000070240 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000000070248 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000000070318 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000000070208 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000000070218 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000000070210 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000000070330 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000000070340 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000000070220 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000000070250 .text C:\Windows\system32\Dwm.exe[4008] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020128 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000201b0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020238 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 0000000000020018 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 00000000000200a0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\Explorer.EXE[4028] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020678 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000000020128 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000000020238 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 0000000000020348 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000000020458 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\SearchIndexer.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020678 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000000020128 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000000020238 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 0000000000020348 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000000020458 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 00000000000204e0 .text C:\Windows\System32\igfxpers.exe[3320] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020568 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[596] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074bc8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000772cfae8 5 bytes JMP 0000000071e634b0 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000772cfc60 5 bytes JMP 0000000071e62830 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 00000000772cfe24 5 bytes JMP 0000000071e626c0 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 00000000772cfeb8 5 bytes JMP 0000000071e62c30 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 00000000772cff84 5 bytes JMP 0000000071e62ae0 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 00000000772d0078 5 bytes JMP 0000000071e629d0 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 00000000772d07ac 5 bytes JMP 0000000071e62d70 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 00000000772d0884 5 bytes JMP 0000000071e63000 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 00000000772d092c 5 bytes JMP 0000000071e63290 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 00000000772d1088 5 bytes JMP 0000000071e62ec0 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 00000000772d1100 5 bytes JMP 0000000071e63150 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 00000000772e911f 5 bytes JMP 0000000071e63420 .text C:\Windows\SysWOW64\svchost.exe[5000] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 000000007736ffe9 5 bytes JMP 0000000071e63340 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00000000770f4170 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007711bde0 5 bytes JMP 0000000077280368 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007711be30 5 bytes JMP 0000000077280360 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 000000007711bec0 5 bytes JMP 0000000000020238 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryVirtualMemory 000000007711bf60 5 bytes JMP 0000000077280358 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007711bf90 5 bytes JMP 00000000772802c8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000000007711bfb0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007711bfe0 1 byte JMP 0000000077280370 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 000000007711bfe2 3 bytes {JMP 0x164390} .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007711bff0 5 bytes JMP 0000000077280300 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007711c0a0 5 bytes JMP 00000000772802a0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007711c0d0 5 bytes JMP 00000000772802e8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007711c0f0 5 bytes JMP 00000000772802d8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007711c130 5 bytes JMP 0000000077280280 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007711c1b0 5 bytes JMP 0000000077280278 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007711c1d0 5 bytes JMP 0000000077280298 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007711c210 5 bytes JMP 00000000772802f0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007711c250 5 bytes JMP 0000000077280338 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007711c260 5 bytes JMP 0000000077280308 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007711c3c0 5 bytes JMP 0000000077280228 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007711c580 5 bytes JMP 0000000077280378 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007711c5b0 5 bytes JMP 00000000772802e0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007711c690 5 bytes JMP 0000000077280288 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007711c6a0 5 bytes JMP 00000000772802b8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007711c700 5 bytes JMP 0000000077280258 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007711c790 5 bytes JMP 0000000077280268 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007711c7b0 5 bytes JMP 00000000772802f8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007711c7c0 5 bytes JMP 00000000772802a8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000000007711c800 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007711c830 5 bytes JMP 0000000077280320 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007711c860 5 bytes JMP 0000000077280230 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007711ca00 5 bytes JMP 0000000077280310 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007711cb20 5 bytes JMP 0000000077280200 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007711cbe0 5 bytes JMP 0000000077280238 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007711cc10 5 bytes JMP 00000000772803d0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007711cc20 5 bytes JMP 00000000772803d8 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007711cc50 5 bytes JMP 0000000077280290 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007711cc60 5 bytes JMP 00000000772802c0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007711ccc0 5 bytes JMP 0000000077280260 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007711cd10 5 bytes JMP 0000000077280270 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007711cd40 1 byte JMP 00000000772802d0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 2 000000007711cd42 3 bytes {JMP 0x163590} .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007711cd50 5 bytes JMP 00000000772802b0 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007711d040 5 bytes JMP 0000000077280350 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007711d1a0 5 bytes JMP 0000000077280328 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007711d240 5 bytes JMP 0000000077280240 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007711d250 5 bytes JMP 0000000077280248 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007711d260 5 bytes JMP 0000000077280318 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007711d420 5 bytes JMP 0000000077280208 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007711d430 5 bytes JMP 0000000077280218 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007711d4a0 5 bytes JMP 0000000077280210 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007711d500 5 bytes JMP 0000000077280330 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007711d510 5 bytes JMP 0000000077280340 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007711d520 5 bytes JMP 0000000077280220 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007711d600 5 bytes JMP 0000000077280250 .text C:\Windows\system32\svchost.exe[4560] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00000000771726a0 5 bytes JMP 0000000000020128 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff880040973e4] \SystemRoot\system32\drivers\aswSP.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!wcschr] [85f88b10ff018b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_XcptFilter] [78f22539441079c0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!malloc] [f1e8c88b07740002] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_initterm] [78ff85df8bffff84] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!free] [558d48e84d8b4848] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_amsg_exit] [48018b48c9334538] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_unlock] [90ffc03345000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!__dllonexit] [c085d88b00000090] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_lock] [850f386539440a78] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_onexit] [982f91bb00000130] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!iswalpha] [278a425394488] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!memcmp] [ff84a3e8cb8b0774] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!memcpy] [c98548e04d8b48ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!memset] [1050ff018b480a74] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[msvcrt.dll!_vsnwprintf] [e84d8b48e065894c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[ntdll.dll!RtlCaptureContext] [48e865894c1050ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[ntdll.dll!RtlLookupFunctionEntry] [a74c98548484d8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[ntdll.dll!RtlVirtualUnwind] [894c1050ff018b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SetTextColor] [8d22e8c88b077400] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SetViewportOrgEx] [880fff85df8bffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetLayout] [48068b49000000c6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!ExtTextOutW] [90ffce8b49d7558d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetTextMetricsW] [c085f88b00000110] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetDeviceCaps] [280f32d39441079] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetPixel] [8cf2e8c88b077400] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!CreateCompatibleBitmap] [880fff85df8bffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetTextExtentPointW] [d74d8b4800000096] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SetBkColor] [db80f4d100ff2] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!CreateSolidBrush] [8b48ff4589660000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetNearestColor] [ff26f458d4cc745] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!DeleteObject] [4807458948274d11] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetStockObject] [100f17558d48018b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SetBkMode] [90ff1745290fff45] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!GetBkColor] [c085f88b000001d0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SetTextAlign] [2809b2d39441079] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SetLayout] [8c9ae8c88b077400] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!CreateFontIndirectW] [4278ff85df8bffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!SelectObject] [8b49d74d8b482b75] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!DeleteDC] [8b6850ff018b48d4] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[GDI32.dll!CreateCompatibleDC] [2d39441079c085f8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!EnableWindow] [455fe8cf8b4802] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetDlgItem] [441079c085f08b00] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SendMessageW] [77400027bce3539] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetProcessDefaultLayout] [8bffff87cde8c88b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!IsRectEmpty] [a4880ff685de] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DrawFocusRect] [8d8b45c74d8b4800] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetSystemMetrics] [10578d4800000084] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetCursor] [4164458d4d018b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!PeekMessageW] [f08b4050ff04c983] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DestroyIcon] [913539441079c085] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DrawTextW] [e8c88b077400027b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetSysColorBrush] [f685de8bffff8790] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!FillRect] [8d4cc74d8b486b78] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetSysColor] [ff0337158d481745] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetRect] [f08b10ff018b48ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!LoadStringW] [613539441079c085] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetDesktopWindow] [e8c88b077400027b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SystemParametersInfoW] [f685de8bffff8760] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DrawTextExW] [480000000db83b78] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!ReleaseDC] [8966cf8b490f558d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetWindowPos] [8b000038cde80f45] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!LoadIconW] [3539441079c085f0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CharLowerW] [c88b077400027b30] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CharUpperBuffW] [85de8bffff872fe8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DestroyMenu] [8084f83410a78f6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DrawFrameControl] [4d8d48f6334503eb] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!OffsetRect] [480002d03915ff0f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!IntersectRect] [33fce8ff4d8d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CreatePopupMenu] [48b490a74e4854d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!InsertMenuItemW] [481050ffcc8b4924] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CheckMenuRadioItem] [a74c98548cf4d8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetMenuItemInfoW] [894c1050ff018b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetMenuItemCount] [8548d74d8b48cf75] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DeleteMenu] [50ff018b480a74c9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!TrackPopupMenu] [4d8b48d775894c10] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!LoadBitmapW] [8b480a74c98548df] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetKeyState] [df75894c1050ff01] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!ClientToScreen] [74c985487f4d8b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CreateWindowExW] [4c1050ff018b480a] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CreateDialogParamW] [48f74d8b487f7589] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DialogBoxParamW] [ff018b480a74c985] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetWindowTextW] [8b48f775894c1050] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CharPrevW] [480a74c98548e74d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!ScreenToClient] [75894c1050ff018b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!UnionRect] [c98548c74d8b48e7] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetMenuItemInfoW] [1050ff018b480a74] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!BeginPaint] [ef4d8b48c775894c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DrawEdge] [118b480a74c98548] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!EndPaint] [48ef75894c1052ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetFocus] [48178b480974ff85] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!RegisterClassExW] [48000000d0249c8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!UnregisterClassW] [5f4100000090c481] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetFocus] [5e5f5c415d415e41] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!IsWindowEnabled] [ccccccccccccc35d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!HideCaret] [74894808245c8948] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!ShowCaret] [5641544157551824] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SwitchToThisWindow] [ec8348ec8b485741] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetLastActivePopup] [4de43345028b4850] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetForegroundWindow] [f18b48f08b4df98b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetWindowTextW] [45e065894cdc8b41] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CharNextW] [894ce865894c2189] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CharUpperW] [8548f065894c4865] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!CheckRadioButton] [80070057bb0a75c0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!LoadCursorW] [38836600000134e9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!InvalidateRect] [4c00000293850f0d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!UpdateWindow] [a13944e674086039] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetParent] [8488b48000000a8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!EndDialog] [4c018b4838658944] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetWindowLongPtrW] [fffefec0158d4800] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetWindowLongPtrW] [1079c085f88b10ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetDC] [740002799d253944] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!MapWindowPoints] [ffff859ce8c88b07] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DeferWindowPos] [ef880fff85df8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!BeginDeferWindowPos] [8d4c484d8b480000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!EndDeferWindowPos] [ff4a0f158d48f045] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!ShowWindow] [c08510ff018b48ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetAncestor] [c88e8b3578] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!IsWindow] [441e7232f983c1ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DestroyWindow] [52bb0002795e2539] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SendDlgItemMessageW] [b8840f88982f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetWindowLongW] [ffff8554e8cb8b00] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetClientRect] [458b480000009ce9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!SetDlgItemTextW] [48000000c88889f0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!TranslateMessage] [48e0558d48484d8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!DispatchMessageW] [85f88b2050ff018b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!PostMessageW] [79222539441079c0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!InsertMenuW] [21e8c88b07740002] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!GetWindowRect] [78ff85df8bffff85] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[USER32.dll!RegisterClipboardFormatW] [458d4ce04d8b4878] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHGetFileInfoW] [ffff03d0158d48c7] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHGetFolderPathW] [1079c085f08b10ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHGetDataFromIDListW] [7400027e6d353944] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHBindToParent] [ffff8a6ce8c88b07] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHChangeNotify] [8548c74d8b480000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHCreateItemFromParsingName] [8d4c018b484a74c9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHGetKnownFolderIDList] [ff4ed7158d48ef45] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHCreateItemFromIDList] [413678c08510ffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHParseDisplayName] [3539441e7232f983] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHOpenFolderAndSelectItems] [982f52bb00027e28] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!DragQueryFileW] [47f641000000c888] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHGetPathFromIDListW] [2a74105f8b494008] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHELL32.dll!SHCreateShellItemArrayFromDataObject] [74c985487f4d8b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathSkipRootW] [afe90850ffcb8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrRetToBufW] [558d48038b480000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrDupW] [740000028e880ff6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!SHStrDupW] [89e980004005bb0a] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrTrimW] [48df4d8b48000001] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathIsSystemFolderW] [50ff018b487f558d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathIsUNCW] [8bffff897de8c88b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrChrW] [254880ff685de] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathCommonPrefixW] [14ce988982f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathRemoveBackslashW] [77558d487f4d8b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathRemoveFileSpecW] [f08b5050ff018b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathIsDirectoryW] [413539441079c085] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathAppendW] [e8c88b077400027d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathFindFileNameW] [fe8300000217880f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrFormatByteSizeW] [7501777d83c37401] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrCmpIW] [38b487f5d8b48bd] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathCombineW] [85f08b0000011090] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathGetDriveNumberW] [7d023539441079c0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathIsPrefixW] [1e8c88b07740002] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!PathMakeSystemFolderW] [ff685de8bffff89] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrStrW] [ffff4d8b48ffffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SHLWAPI.dll!StrToIntExW] [f08b440002d09b15] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!OpenBriefcase] [b2e9f633458007] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!CloseBriefcase] [8d4824048b490000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!CreateFolderTwinList] [7050ffcc8b49d755] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!DestroyFolderTwinList] [3d390f79c085f08b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!IsFolderTwin] [c88b077400027ca8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!DestroyRecList] [85de8bffff88a7e8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!CreateTwinList] [480000017b880ff6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!DestroyTwinList] [45ff558b48d74d8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!DeleteTwin] [8090ff018b48c68b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!AddFolderTwin] [f08bf63345000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!GetVolumeDescription] [713539441079c085] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!GetFolderTwinStatus] [e8c88b077400027c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!BeginReconciliation] [f685de8bffff8870] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!ReconcileItem] [50b900000147880f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!EndReconciliation] [2492ce8000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!CreateRecList] [2f74c08548f88b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!GetObjectTwinHandle] [1870894c08708944] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!ReleaseTwinHandle] [3070894c3870894c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!AddAllTwinsToTwinList] [287089442070894c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!AddTwinToTwinList] [48ffff5689058d48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!CountSourceFolderTwins] [ff560f058d480789] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!AnyTwins] [4903eb10478948ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!FindBriefcaseClose] [bb1e75ff8548fe8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!AddObjectTwin] [93539448007000e] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!ClearBriefcaseCache] [ec840f00027c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!FindFirstBriefcase] [ffff8804e8cb8b00] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!FindNextBriefcase] [78b48000000e0e9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[SYNCENG.dll!SaveBriefcase] [8b480850ffcf8b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetLastError] [85df8bffff8c6fe8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LoadLibraryW] [2d394415741778ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetModuleFileNameW] [4005bb00028058] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!DeactivateActCtx] [8c52e8cb8b077480] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!ActivateActCtx] [15ffe74d8d48ffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!ReleaseActCtx] [c74d8b480002d56c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!CreateActCtxW] [c98548d8490fdb85] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetModuleHandleW] [1050ff018b480a74] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LockResource] [cf4d8b48c76d894c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LoadResource] [118b480a74c98548] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FindResourceExW] [48cf6d894c1052ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [674c98548d74d8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!UnhandledExceptionFilter] [8d4c1052ff118b48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetCurrentProcess] [c38b00000090249c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!TerminateProcess] [40738b49305b8b49] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [41e38b49487b8b49] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetCurrentProcessId] [5d5c415d415e415f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetCurrentThreadId] [ccccccccccccccc3] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!QueryPerformanceCounter] [57565508245c8948] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!Sleep] [5741564155415441] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!DelayLoadFailureHook] [ec8148d9246c8d48] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LoadLibraryExA] [33f6334500000090] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetProcAddress] [74d8d48e98b4cc0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FreeLibrary] [4cff75894cfa8b4c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GlobalUnlock] [4c7f75894cdf7589] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GlobalLock] [4ce775894cf77589] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!HeapFree] [4ccf75894cc77589] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetProcessHeap] [4c0775894cd77589] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!DeleteFileW] [8948174589480f45] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!DisableThreadLibraryCalls] [8bffff80d9e81f45] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FindClose] [3539441079c085f0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FindNextFileW] [c88b077400027f68] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FindFirstFileW] [658b4cffff8b67e8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FormatMessageW] [3a880ff685de8b07] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!MulDiv] [4c24048b49000004] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetShortPathNameW] [526158d48cf458d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!MultiByteToWideChar] [8b10ffcc8b49ffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!WideCharToMultiByte] [3539441079c085f0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetTickCount] [c88b077400027f30] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!CreateDirectoryW] [85de8bffff8b2fe8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LocalReAlloc] [4800000406880ff6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LocalSize] [10000b941cf4d8b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetTimeFormatW] [a8b53945018b4800] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetDateFormatW] [558d483d74000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FileTimeToSystemTime] [54894864458d4de7] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!FileTimeToLocalFileTime] [90ff28578b492024] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetFileAttributesExW] [c085f08b000000f0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!lstrlenW] [27ee33539441079] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LocalFree] [8ae2e8c88b077400] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!LocalAlloc] [880ff685de8bffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!SetFileAttributesW] [e74d8b48000003b9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!GetFileAttributesW] [8d4c28578b4940eb] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!MoveFileW] [4d282444894cf745] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\syncui.dll[KERNEL32.dll!lstrcmpiW] [f685de8bffff8aa0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [c00000030031a] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!wcsstr] [40083636ffd4004c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_wcsupr] [8125c2508125b36] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!memset] [321ffce00115c25] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!malloc] [4c0000ffffffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_XcptFilter] [3215b5cffd0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!??3@YAXPEAX@Z] [ffff000100180019] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_amsg_exit] [5c2508120000ffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_unlock] [30031a5b5c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!__dllonexit] [80eff8a004c000e] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_lock] [115b5c36364008] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_onexit] [321ffd00011ffd4] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!memcmp] [1006000190000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!wcscpy_s] [4c0000ffffffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!wcscat_s] [3215b5cffd2] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_wcsicmp] [ffff000100700019] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!??2@YAPEAX_K@Z] [5c2508120000ffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_initterm] [80071a5b5c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!??_V@YAXPEAX@Z] [80bff42004c001c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!free] [3636ff3a004c360e] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!wcsncpy_s] [836400836400836] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!_vsnwprintf] [5c2508125b5c3640] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[msvcrt.dll!memcpy] [5c2508115c250811] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!NtQueryInformationToken] [ffae2012ff9c2012] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!NtClose] [7b764527c0f85a2f] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!NtOpenThreadToken] [8e7d1aa096a942eb] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!RtlFreeUnicodeString] [1b000e04116d9b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!RtlStringFromGUID] [1000000190001] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!RtlVirtualUnwind] [10031a5b01] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!RtlLookupFunctionEntry] [115b3640080006] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!RtlCaptureContext] [31a00020012ffe6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ntdll.dll!NtOpenProcessToken] [4c000c00000048] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!ReleaseActCtx] [76efbb90] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!ActivateActCtx] [76efbab0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!DeactivateActCtx] [76efba50] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!FreeLibrary] [76ec9020] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!CreateDirectoryW] [76f4bab0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!CreateActCtxW] [76ec5190] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [76efc140] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!UnhandledExceptionFilter] [76ec33e0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetCurrentProcess] [76ec4ef0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!TerminateProcess] [76ec3380] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [76ec59a0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetCurrentProcessId] [76ed1520] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetCurrentThreadId] [76ec5c20] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!QueryPerformanceCounter] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!Sleep] [7fefd7cc060] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetVersionExA] [7fefd74e420] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetModuleHandleW] [7fefd77eb80] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!LoadLibraryW] [7fefd771260] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!RegQueryInfoKeyW] [7fefd7c4240] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetModuleFileNameW] [7fefd7c4220] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!lstrlenW] [7fefd74e400] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!RaiseException] [7fefd771640] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!SetThreadLocale] [7fefd7c4200] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetLastError] [7fefd764e30] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetThreadLocale] [7fefd7c41e0] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetProcAddress] [7fefd771450] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!DisableThreadLibraryCalls] [7fefd760370] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!RegOpenKeyExW] [7fefd7cc0c0] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!RegCloseKey] [7fefd772ac0] C:\Windows\system32\RPCRT4.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!CreateProcessW] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!HeapFree] [7feff31bfd4] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetProcessHeap] [7feff2d10ac] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!lstrcmpiA] [7feff2d8e28] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!CloseHandle] [7feff2d137c] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [7feff310b58] C:\Windows\system32\msvcrt.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetTempFileNameW] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!WriteFile] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetSystemDirectoryW] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!RegQueryValueExW] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!CheckElevationEnabled] [7fefa1df188] C:\Windows\system32\acppage.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!CreateFileW] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetBinaryTypeW] [4a5bc4ee00000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!GetTempPathW] [200000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[KERNEL32.dll!LocalFree] [e428] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!EnableWindow] [2854020e236c53b6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!UnregisterClassA] [48bf981be18611fc] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!GetParent] [1d228207ab85e68c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!SendMessageW] [4f13df83b17bb6ff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!GetWindowLongPtrW] [c3aeaa9648c9c094] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!SetWindowLongPtrW] [48a6521fadcf3f49] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!GetDlgItem] [61e8d3d5208ebaba] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!SendDlgItemMessageW] [4033e567ea128357] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!LoadStringA] [582bfef4805623ac] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!GetSystemMetrics] [4a91f0b39735d878] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!LoadStringW] [6975810c180078bc] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!InsertMenuW] [4ac617d7b653f1e0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!SetProcessDPIAware] [a2c1db614bf8189b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!CharNextW] [4941ef337022e7a5] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[USER32.dll!IsWindowEnabled] [c2d7554266163d9d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHLWAPI.dll!PathFileExistsW] [49a352e4870de4c1] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHLWAPI.dll!PathFindExtensionW] [497fa5e07c567e9a] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHLWAPI.dll!StrCmpIW] [4bb58e6200aa70cb] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHLWAPI.dll!PathFindFileNameW] [79ac31336ed5059c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHELL32.dll!DragQueryFileW] [45c97debc7930797] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHELL32.dll!SHParseDisplayName] [d65162c60dae71aa] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHELL32.dll!SHGetNameFromIDList] [6a69456b680411a9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHELL32.dll!SHChangeNotify] [4618f55c3e23c5a8] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[SHELL32.dll!SHGetPathFromIDListW] [b15b8ad7f7909f90] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!CoGetObject] [5c2508125c250811] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!CoUninitialize] [214115c080c11] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!ReleaseStgMedium] [32100022013] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!StringFromGUID2] [ffff000100205429] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!CoCreateInstance] [5c2508130000ffff] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserSize] [2006400005b5c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserSize64] [d4009600580026] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!CoTaskMemFree] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserMarshal64] [7fefa1df92c] C:\Windows\system32\acppage.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserFree64] [7fefa1df920] C:\Windows\system32\acppage.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserUnmarshal64] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserMarshal] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!CoCreateGuid] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserUnmarshal] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!CoInitializeEx] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[ole32.dll!HWND_UserFree] [7fefa1d1392] C:\Windows\system32\acppage.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrOleAllocate] [f213e81d8fbbda6] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrCStdStubBuffer_Release] [41901ec52af1fe1b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrStubForwardingFunction] [eae9eda7df0489bd] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_Connect] [4711713840a7882c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_Invoke] [321b59ef1610e382] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_IsIIDSupported] [48fdc37c5e97d535] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_Disconnect] [11957d2dcb921e8d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_DebugServerRelease] [4c3a3800fa78c93d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrDllUnregisterProxy] [acf2a4c3548610a4] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrDllGetClassObject] [45d79f896557dd4c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrStubCall3] [b9b843a39ffdfd83] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!IUnknown_AddRef_Proxy] [4c634ccfa9f63151] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrCStdStubBuffer2_Release] [8638a324a53b5a9b] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_QueryInterface] [4ca856d8688de15a] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_DebugServerQueryInterface] [e64fa3a8bc9efe9c] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_AddRef] [4cab8f2a310aad5d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrDllRegisterProxy] [aeee7e211136d494] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!CStdStubBuffer_CountRefs] [47316216ac3d7f68] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrDllCanUnloadNow] [e1b3e1114e1c1091] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!NdrOleFree] [40cc1bafbd624d70] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!IUnknown_Release_Proxy] [11acb5d2995ef3b7] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[RPCRT4.dll!IUnknown_QueryInterface_Proxy] [42a2748361cde089] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[VERSION.dll!GetFileVersionInfoSizeW] [6d9b8e7d1aa096a9] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[VERSION.dll!GetFileVersionInfoW] [bc001100000000] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[VERSION.dll!VerQueryValueW] [3155b010008001d] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[wer.dll!WerReportSubmit] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[wer.dll!WerReportCreate] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[wer.dll!WerReportAddFile] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[wer.dll!WerReportCloseHandle] [2000001] IAT C:\Windows\Explorer.EXE[4028] @ C:\Windows\system32\acppage.dll[wer.dll!WerReportSetParameter] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!__RTDynamicCast] [76ed1520] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!memmove] [76ec2ce0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_initterm] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_vsnwprintf] [7fefd873280] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_amsg_exit] [7fefd871210] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [7fefd873ce0] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!__CxxFrameHandler3] [7fefd871240] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!memcpy] [7fefd877100] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_CxxThrowException] [7fefd871180] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_unlock] [7fefd873f10] C:\Windows\system32\OLEAUT32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!__dllonexit] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_lock] [7fefe027330] C:\Windows\system32\SHELL32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_onexit] [7fefe039d50] C:\Windows\system32\SHELL32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_XcptFilter] [7fefe03b910] C:\Windows\system32\SHELL32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!memset] [7fefdfc4f0c] C:\Windows\system32\SHELL32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [7fefdff0b00] C:\Windows\system32\SHELL32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [7fefe02e120] C:\Windows\system32\SHELL32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!??1exception@@UEAA@XZ] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [7feff0d8c74] C:\Windows\system32\SHLWAPI.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!malloc] [7feff0e3e3c] C:\Windows\system32\SHLWAPI.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!free] [7feff0e0c30] C:\Windows\system32\SHLWAPI.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!wcsrchr] [7feff0dfa50] C:\Windows\system32\SHLWAPI.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[msvcrt.dll!_purecall] [7feff0e29f4] C:\Windows\system32\SHLWAPI.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!LocalFree] [7feff174250] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!LoadLibraryW] [7feff16e700] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetProcAddress] [7feff174220] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!FreeLibrary] [7feff16a830] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!RaiseException] [7feff15e514] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!CloseHandle] [7feff161e10] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetLastError] [7feff160510] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!Sleep] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!TerminateProcess] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetCurrentProcess] [7fefeeb10a0] C:\Windows\system32\GDI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!UnhandledExceptionFilter] [0] IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [76f4bab0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!RtlVirtualUnwind] [76ec9020] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!RtlLookupFunctionEntry] [76ec5190] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!RtlCaptureContext] [76efbab0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!LocalAlloc] [76efbb90] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!HeapValidate] [76ec33e0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!HeapCreate] [76ec4ef0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!HeapDestroy] [76ec3380] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetProcessHeap] [76ec59a0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!HeapFree] [76efba50] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetVersionExW] [76ecb200] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [76ec3c40] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetModuleHandleW] [76ec3360] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetModuleFileNameW] [76ed1760] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!CreateFileW] [76ebc3c0] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[KERNEL32.dll!GetFileSizeEx] [76ec3c60] C:\Windows\system32\kernel32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[ADVAPI32.dll!RegQueryValueExW] [7feff16fda0] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[ADVAPI32.dll!RegCloseKey] [7feff163e2c] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[ole32.dll!CoCreateInstance] [7feff0e4494] C:\Windows\system32\SHLWAPI.dll IAT C:\Windows\Explorer.EXE[4028] @ C:\Program Files\Windows Defender\MpOav.dll[ole32.dll!StringFromGUID2] [7feff0e2b00] C:\Windows\system32\SHLWAPI.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\svchost.exe [500:2700] 000000000f860fac Thread C:\Windows\system32\svchost.exe [500:5072] 000000000f860fac Thread C:\Windows\system32\svchost.exe [500:3724] 000000000f860fac Thread C:\Windows\system32\svchost.exe [500:2420] 000000000f8574dc Thread C:\Windows\system32\svchost.exe [500:4956] 000000000f8574dc Thread C:\Windows\SysWOW64\svchost.exe [5000:5112] 0000000000299480 Thread C:\Windows\SysWOW64\svchost.exe [5000:5116] 0000000000299480 Thread C:\Windows\SysWOW64\svchost.exe [5000:4080] 0000000000299480 Thread C:\Windows\SysWOW64\svchost.exe [5000:2592] 0000000000299480 Thread C:\Windows\SysWOW64\svchost.exe [5000:3200] 0000000000299480 Thread C:\Windows\SysWOW64\rundll32.exe [2484:4200] 0000000000279480 Thread C:\Windows\SysWOW64\rundll32.exe [2484:4204] 0000000000279480 Thread C:\Windows\SysWOW64\rundll32.exe [2484:4208] 0000000000279480 Thread C:\Windows\SysWOW64\rundll32.exe [2484:4212] 0000000000279480 Thread C:\Windows\SysWOW64\rundll32.exe [2484:4216] 0000000000279480 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14975529301702294@SetupOperations ????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ???T???????HJ???????????e???????e???e???e???????????????????????e???e???e???????????????????????e?????????????????? ??????????????????? ??????????? ?????????????????disk.inf????????????????????????????????????????????????????WUDFCoinstaller.dll??????????????D?????s\a??????????{36fc9e60-c465-11cf-8056-444553540000}\0004?????.NT?1B?????o?u?y?????d????N?????? ????De?9???????????1??????????????????Keyboard????Apple iPhone?P USB??????????0????u???????????????y??????????????gendisk?????? ???????????????}????????????N??????????????????????????????????????????a???e??????????????????????????????1.0.1.4.SP00????????????????????????>????????????????????????????2??E2???????d??????????????????????????.NT?????? ??????????????????? ??????????????s???????????? ???|???\?????Dm ??system32\DRIVERS\raspptp.sys????????????? ??????????????)???? ???????}??????????Microsoft????????T???T??????????? ???m????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14975529301702294@SetupOperations ????es??????????????????ov???????????????????????????????,??????????? ?????????????????????,?????? ??????????????????????????????????????????????????????????????????????5???????????????????????????????????????????????????\?_?d?d?e?f????8A???i?i?i?i?j?j?j?k???j F??es\AVAST????????????????????????x???????????????????????????????????????????????????????????HJ??????????????????????HJ??????????????????????FH??????????????????????FH??????????????????????FH??????????????????????XZ??????????????????????\^??????????????????????????????????????????????HJ??????????????????????????????????????????????FH??????????????????????HJ??????????????????????HJ??????????????????????HJ??????????????????????RT??????????????????????????????????????????????>@??????????????????????DF??????????????????????z|??????????????????????z|??????????????????????????????????????????????????????????????????????FH??????????????????????FH??????????????????????BD??????????????????????FH??????????????????????Z\??????????????????????FH????????????????? ---- EOF - GMER 2.2 ----