GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-11 17:25:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000059 ATA_____ rev.0002 931,51GB Running: gmer.exe; Driver: C:\Users\Ryszard\AppData\Local\Temp\kxtdqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000049e30480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000049e30470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000049e30360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000049e30490 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 0000000049e303d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000049e30310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 0000000049e303a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000049e30380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0xffffffffd2c14490} .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 0000000049e302d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 0000000049e302c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000049e30300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 0000000049e303b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000049e30440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 0000000049e303e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000049e30220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 0000000049e304a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000049e30390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 0000000049e302e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000049e30340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000049e30280 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 0000000049e302a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 0000000049e303c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000049e30320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000049e30410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000049e30230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 0000000049e303f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 0000000049e301d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000049e30240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 0000000049e304b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 0000000049e304c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 0000000049e302f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000049e30350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000049e30290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 0000000049e302b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000049e30370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000049e30330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000049e30460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000049e30420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000049e30250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000049e30260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000049e30400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 0000000049e301e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000049e30200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 0000000049e301f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000049e30430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000049e30450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000049e30210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000049e30270 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000049e30480 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000049e30470 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000049e30360 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000049e30490 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 0000000049e303d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000049e30310 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 0000000049e303a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000049e30380 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0xffffffffd2c14490} .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 0000000049e302d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 0000000049e302c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000049e30300 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 0000000049e303b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000049e30440 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 0000000049e303e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000049e30220 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 0000000049e304a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000049e30390 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 0000000049e302e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000049e30340 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000049e30280 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 0000000049e302a0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 0000000049e303c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000049e30320 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000049e30410 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000049e30230 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 0000000049e303f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 0000000049e301d0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000049e30240 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 0000000049e304b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 0000000049e304c0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 0000000049e302f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000049e30350 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000049e30290 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 0000000049e302b0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000049e30370 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000049e30330 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000049e30460 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000049e30420 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000049e30250 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000049e30260 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000049e30400 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 0000000049e301e0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000049e30200 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 0000000049e301f0 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000049e30430 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000049e30450 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000049e30210 .text C:\Windows\system32\csrss.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000049e30270 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0xffffffff88e54490} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0xffffffff88e54490} .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\Dwm.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\taskhost.exe[1868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\svchost.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\svchost.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0xffffffff88e54490} .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[2876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\svchost.exe[3160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\rundll32.exe[3956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0xffffffff88e54490} .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[4416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ee1401 2 bytes JMP 7504b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ee1419 2 bytes JMP 7504b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ee1431 2 bytes JMP 750c90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ee144a 2 bytes CALL 750248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ee14dd 2 bytes JMP 750c89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ee14f5 2 bytes JMP 750c8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ee150d 2 bytes JMP 750c88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ee1525 2 bytes JMP 750c8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ee153d 2 bytes JMP 7503fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ee1555 2 bytes JMP 75046937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ee156d 2 bytes JMP 750c91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ee1585 2 bytes JMP 750c8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ee159d 2 bytes JMP 750c88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ee15b5 2 bytes JMP 7503fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ee15cd 2 bytes JMP 7504b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ee16b2 2 bytes JMP 750c906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4632] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ee16bd 2 bytes JMP 750c8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4820] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075028791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\System32\svchost.exe[4848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ee1401 2 bytes JMP 7504b263 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ee1419 2 bytes JMP 7504b38e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ee1431 2 bytes JMP 750c90f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ee144a 2 bytes CALL 750248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ee14dd 2 bytes JMP 750c89ea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ee14f5 2 bytes JMP 750c8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ee150d 2 bytes JMP 750c88e0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ee1525 2 bytes JMP 750c8caa C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ee153d 2 bytes JMP 7503fce8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ee1555 2 bytes JMP 75046937 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ee156d 2 bytes JMP 750c91a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ee1585 2 bytes JMP 750c8d0a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ee159d 2 bytes JMP 750c88a4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ee15b5 2 bytes JMP 7503fd81 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ee15cd 2 bytes JMP 7504b324 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ee16b2 2 bytes JMP 750c906c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[2840] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ee16bd 2 bytes JMP 750c8839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\DllHost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007721bbe0 5 bytes JMP 0000000077380480 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007721bc30 5 bytes JMP 0000000077380470 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007721bd90 5 bytes JMP 0000000077380360 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007721bde0 5 bytes JMP 0000000077380490 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007721bdf0 5 bytes JMP 00000000773803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007721bea0 5 bytes JMP 0000000077380310 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007721bed0 5 bytes JMP 00000000773803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007721bef0 1 byte JMP 0000000077380380 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007721bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007721bf30 5 bytes JMP 00000000773802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007721bfb0 5 bytes JMP 00000000773802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007721bfd0 5 bytes JMP 0000000077380300 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007721c010 5 bytes JMP 00000000773803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007721c050 5 bytes JMP 0000000077380440 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007721c060 5 bytes JMP 00000000773803e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007721c1c0 5 bytes JMP 0000000077380220 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007721c380 5 bytes JMP 00000000773804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007721c3b0 5 bytes JMP 0000000077380390 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007721c490 5 bytes JMP 00000000773802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007721c4a0 5 bytes JMP 0000000077380340 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007721c500 5 bytes JMP 0000000077380280 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007721c590 5 bytes JMP 00000000773802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007721c5b0 5 bytes JMP 00000000773803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007721c5c0 5 bytes JMP 0000000077380320 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007721c630 5 bytes JMP 0000000077380410 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007721c660 5 bytes JMP 0000000077380230 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007721c800 5 bytes JMP 00000000773803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007721c920 5 bytes JMP 00000000773801d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007721c9e0 5 bytes JMP 0000000077380240 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007721ca10 5 bytes JMP 00000000773804b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007721ca20 5 bytes JMP 00000000773804c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007721ca50 5 bytes JMP 00000000773802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007721ca60 5 bytes JMP 0000000077380350 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007721cac0 5 bytes JMP 0000000077380290 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007721cb10 5 bytes JMP 00000000773802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007721cb40 5 bytes JMP 0000000077380370 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007721cb50 5 bytes JMP 0000000077380330 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007721ce40 5 bytes JMP 0000000077380460 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007721cfa0 5 bytes JMP 0000000077380420 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007721d040 5 bytes JMP 0000000077380250 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007721d050 5 bytes JMP 0000000077380260 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007721d060 5 bytes JMP 0000000077380400 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007721d220 5 bytes JMP 00000000773801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007721d230 5 bytes JMP 0000000077380200 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007721d2a0 5 bytes JMP 00000000773801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007721d300 5 bytes JMP 0000000077380430 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007721d310 5 bytes JMP 0000000077380450 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007721d320 5 bytes JMP 0000000077380210 .text C:\Windows\system32\wbem\wmiprvse.exe[5748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007721d400 5 bytes JMP 0000000077380270 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ee1401 2 bytes JMP 7504b263 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ee1419 2 bytes JMP 7504b38e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ee1431 2 bytes JMP 750c90f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ee144a 2 bytes CALL 750248ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ee14dd 2 bytes JMP 750c89ea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ee14f5 2 bytes JMP 750c8bc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ee150d 2 bytes JMP 750c88e0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ee1525 2 bytes JMP 750c8caa C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ee153d 2 bytes JMP 7503fce8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ee1555 2 bytes JMP 75046937 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ee156d 2 bytes JMP 750c91a9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ee1585 2 bytes JMP 750c8d0a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ee159d 2 bytes JMP 750c88a4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ee15b5 2 bytes JMP 7503fd81 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ee15cd 2 bytes JMP 7504b324 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ee16b2 2 bytes JMP 750c906c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[5984] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ee16bd 2 bytes JMP 750c8839 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ee1401 2 bytes JMP 7504b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ee1419 2 bytes JMP 7504b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ee1431 2 bytes JMP 750c90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ee144a 2 bytes CALL 750248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ee14dd 2 bytes JMP 750c89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ee14f5 2 bytes JMP 750c8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ee150d 2 bytes JMP 750c88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ee1525 2 bytes JMP 750c8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ee153d 2 bytes JMP 7503fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ee1555 2 bytes JMP 75046937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ee156d 2 bytes JMP 750c91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ee1585 2 bytes JMP 750c8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ee159d 2 bytes JMP 750c88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ee15b5 2 bytes JMP 7503fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ee15cd 2 bytes JMP 7504b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ee16b2 2 bytes JMP 750c906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5820] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ee16bd 2 bytes JMP 750c8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076ee1401 2 bytes JMP 7504b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076ee1419 2 bytes JMP 7504b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076ee1431 2 bytes JMP 750c90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076ee144a 2 bytes CALL 750248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076ee14dd 2 bytes JMP 750c89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076ee14f5 2 bytes JMP 750c8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076ee150d 2 bytes JMP 750c88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076ee1525 2 bytes JMP 750c8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076ee153d 2 bytes JMP 7503fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076ee1555 2 bytes JMP 75046937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076ee156d 2 bytes JMP 750c91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076ee1585 2 bytes JMP 750c8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076ee159d 2 bytes JMP 750c88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076ee15b5 2 bytes JMP 7503fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076ee15cd 2 bytes JMP 7504b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076ee16b2 2 bytes JMP 750c906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3668] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076ee16bd 2 bytes JMP 750c8839 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [1556:2652] 000007fef79e0360 Thread C:\Windows\System32\svchost.exe [1556:2656] 000007fef79be460 Thread C:\Windows\System32\svchost.exe [1556:2660] 000007fef79be450 Thread C:\Windows\System32\svchost.exe [1556:2664] 000007fef7985570 Thread C:\Windows\System32\svchost.exe [1556:2668] 000007fef79ba130 Thread C:\Windows\System32\svchost.exe [1556:2672] 000007fef7985560 Thread C:\Windows\System32\svchost.exe [1556:2676] 000007fef7a082a0 Thread C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [3136:5412] 000000001ba63e68 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14734297328632280@SetupOperations ??????????????????\??????????????????????????????????????????|???3??dr????N????????????Dad??Bluetooth Audio?????????????????????????6.1.7600.16385???????????????????????????????:???????????????z???g????????????????????????????????X???????????????"?????????????Microsoft?????????????????????????X?????????????aticfx64.dll?aticfx64.dll?aticfx64.dll??65???????????????????????????????????????????d??,-??????????????????????????????????????????????????WinUSB???????????????W??00???????????????????????????????????????e??s???????NT??????????????????????????@ksfilter.inf,%mstee.devicedesc%;Konwerter strumieni Tee/Sink-to-Sink Microsoft Streaming????????????4???d????*??????0?????????n????@ksfilter.inf,%mspqm.devicedesc%;Serwer proxy mened?era jako?ci Microsoft Streaming?????aticfx32.dll?aticfx32.dll?aticfx32.dll???????$??????????????????????????d-???????????????d???????????\??00??????????????????????ta??????????????ir??????????????????? ???????z???????????g?0????????????????????? ???????z?????????????0??????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14734298517982280@SetupOperations ?????????????????????????6??????????????????????????????????disk_install????BTH\MS_BTHPAN???P???????Mc???????????????????????????????????????????????????5??????????? ?????????????????????,????????P?/???????????????????X??????????????????????????????????????????,???????????d??aticfx64?aticfx64?aticfx64?aticfx32?aticfx32?aticfx32?atiumd64?atidxx64?atidxx64?atiumdag?atidxx32?atidxx32?atiumdva?atiumd6a?atitmm64???/???????????????????????y???????????9?????????Tcp???$???????e???????????????????????????????????????????????M??FE??? ???????(??????s????????????????????????????????????????-???z???????d??6-21-2006????$???????????????????????????????????????????e??t???????ip??????????????????6-21-2006?????????????????????????????s?????? ???:???3??????????????????? ???????&??????d???bth\ms_bthbrb????????????????????????????d??? ??????????????t???? ??????????????????????????????????????????Stacja dysk?w????????????"???????????????????h????N??????????????????????????????{????????????????????????(?????????????6.1.7601.17889? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f82fa8f2c508 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f82fa8f2c508@e063e5293c79 0xD1 0xBF 0xB8 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f82fa8f2c508@90c115a8f0cd 0x26 0xDA 0x2C 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14734297328632280@SetupOperations ?????U??? ???????b?????????????*????????????&???????????????????????@keyboard.inf,%hid.keyboarddevice%;Urz?dzenie klawiatury HID????????????? ?????????????????????0????????????????????oem62.inf:WIDCOMM.NTamd64...1:BTWNULL:6.5.1.2500:bthenum\{00001105-0000-1000-8000-00805f9b34fb}_localmfg&000f???? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????&???????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????@system32\DRIVERS\BthEnum.sys,#1;Zewn?trzne urz?dzenie Bluetooth????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????????????????????? ?????????????????????0????????????&???????????????????????????????????????????????????,????????????????????????????????????????????????????????????????????????????????0????????????????????????????????????????????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14734298517982280@SetupOperations ????ni???????????o???e??????????????????????????? ?????????????????????0????????????????????Dot4Print_Inst????????X?????????????? ?????????????????????0????????????????????? ???????????????????~?0????????????????????? ?????????????????????0????????????????????? ???????????????????~?0????????????????????????????? ?????????????????????0????????????????????????????? ???????????????????t?0????????????????????????????? ???????????????????????????4??????????? ????????????????????????H???????????????????????????????????????_016??? ?????????????????????0????????L???????????Sterownik woluminu systemu plik?w WPD???Cruzer Micro ?devicename%;Sterownik woluminu systemu plik?w WPD????????????4?????????????????????Intel(R) HD Graphics 4000??????????????????e??????????????????????e?????? ?????????????????????????????????e????????????????????????????????????????????????????? ??????????????????? ???????????????????s??????????????$???????????????????????? ???????????????????s??????????????$?????????????????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f82fa8f2c508 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f82fa8f2c508@e063e5293c79 0xD1 0xBF 0xB8 0xF9 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f82fa8f2c508@90c115a8f0cd 0x26 0xDA 0x2C 0xB4 ... ---- EOF - GMER 2.2 ----