GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-02 20:19:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: tm19kruf.exe; Driver: C:\Users\Dom\AppData\Local\Temp\pwldapow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000049bb0480 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000049bb0470 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000049bb0360 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000049bb0490 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 0000000049bb03d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000049bb0310 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 0000000049bb03a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000049bb0380 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0xffffffffd2a84490} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 0000000049bb02d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 0000000049bb02c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000049bb0300 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 0000000049bb03b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000049bb0440 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 0000000049bb03e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000049bb0220 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 0000000049bb04a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000049bb0390 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 0000000049bb02e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000049bb0340 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000049bb0280 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 0000000049bb02a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 0000000049bb03c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000049bb0320 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000049bb0410 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000049bb0230 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 0000000049bb03f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 0000000049bb01d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000049bb0240 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 0000000049bb04b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 0000000049bb04c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 0000000049bb02f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000049bb0350 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000049bb0290 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 0000000049bb02b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000049bb0370 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000049bb0330 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000049bb0460 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000049bb0420 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000049bb0250 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000049bb0260 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000049bb0400 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 0000000049bb01e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000049bb0200 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 0000000049bb01f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000049bb0430 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000049bb0450 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000049bb0210 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000049bb0270 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000049bb0480 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000049bb0470 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000049bb0360 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000049bb0490 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 0000000049bb03d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000049bb0310 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 0000000049bb03a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000049bb0380 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0xffffffffd2a84490} .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 0000000049bb02d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 0000000049bb02c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000049bb0300 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 0000000049bb03b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000049bb0440 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 0000000049bb03e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000049bb0220 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 0000000049bb04a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000049bb0390 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 0000000049bb02e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000049bb0340 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000049bb0280 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 0000000049bb02a0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 0000000049bb03c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000049bb0320 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000049bb0410 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000049bb0230 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 0000000049bb03f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 0000000049bb01d0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000049bb0240 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 0000000049bb04b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 0000000049bb04c0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 0000000049bb02f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000049bb0350 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000049bb0290 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 0000000049bb02b0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000049bb0370 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000049bb0330 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000049bb0460 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000049bb0420 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000049bb0250 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000049bb0260 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000049bb0400 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 0000000049bb01e0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000049bb0200 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 0000000049bb01f0 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000049bb0430 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000049bb0450 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000049bb0210 .text C:\Windows\system32\csrss.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000049bb0270 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\lsass.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\lsm.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\System32\svchost.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0xffffffff88f44490} .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0xffffffff88f44490} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\taskhost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\Explorer.EXE[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\Dwm.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\taskeng.exe[1952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\System32\svchost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076a11401 2 bytes JMP 767ab263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076a11419 2 bytes JMP 767ab38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076a11431 2 bytes JMP 768290f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076a1144a 2 bytes CALL 767848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076a114dd 2 bytes JMP 768289ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076a114f5 2 bytes JMP 76828bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076a1150d 2 bytes JMP 768288e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076a11525 2 bytes JMP 76828caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076a1153d 2 bytes JMP 7679fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076a11555 2 bytes JMP 767a6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076a1156d 2 bytes JMP 768291a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076a11585 2 bytes JMP 76828d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076a1159d 2 bytes JMP 768288a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076a115b5 2 bytes JMP 7679fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076a115cd 2 bytes JMP 767ab324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076a116b2 2 bytes JMP 7682906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\SONY\VAIO Event Service\VESMgrSub.exe[3720] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076a116bd 2 bytes JMP 76828839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\wbem\wmiprvse.exe[3716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[4868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000077290480 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000077290470 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000077290360 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000077290490 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000772903d0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000077290310 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000772903a0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000077290380 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000772902d0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000772902c0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000077290300 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000772903b0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000077290440 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000772903e0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000077290220 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000772904a0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000077290390 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000772902e0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000077290340 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000077290280 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000772902a0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000772903c0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000077290320 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000077290410 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000077290230 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000772903f0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000772901d0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000077290240 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000772904b0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000772904c0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000772902f0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000077290350 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000077290290 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000772902b0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000077290370 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000077290330 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000077290460 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000077290420 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000077290250 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000077290260 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000077290400 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000772901e0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000077290200 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000772901f0 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000077290430 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000077290450 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000077290210 .text C:\Windows\system32\svchost.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000077290270 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007712bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007712bc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007712bd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007712bde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007712bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007712bea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007712bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007712bef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007712bef2 3 bytes {JMP 0xffffffff88f44490} .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007712bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007712bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007712bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007712c010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007712c050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007712c060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007712c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007712c380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007712c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007712c490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007712c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007712c500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007712c590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007712c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007712c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007712c630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007712c660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007712c800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007712c920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007712c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007712ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007712ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007712ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007712ca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007712cac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007712cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007712cb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007712cb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007712ce40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007712cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007712d040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007712d050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007712d060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007712d220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007712d230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007712d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007712d300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007712d310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007712d320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007712d400 5 bytes JMP 0000000000070270 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14748030817712280@SetupOperations ????s9????4??????????????????????????????????&???????????????????????????v???&??????????????????????????????? ???????????????? ??????????? ?B???????????Sterownik magistrali transportu/protoko?u SBP-2?4-??? ???????A???????????????????? ?@? ?????????????????????????????? ???????@???????????????????? ?????????????? ??????????????????????????????????????????????????????????? ??????????????????Stacja dysk?w???? ??????????????????6.1.7601.19133???????????????????????????@??????????????????? ??????????????????? ??????????????????6-21-2006???????1???????????????12-10-2007??te??????????????????????DiskDrive?????*?????????????oem10.inf???????????????????????????????hid_device_up:000c_u:0001???? \????????????ta ??.NTAMD64?\???????????????????????????????????????????g??????????????????????????????????? ??????????????????????????volsnap.inf?????????? ?????????????????????0????????????&?????????????????????????N????????????D?????k??????????{eec5ad98-8080-425f-922a-dabf3de3f69a}\0002?????? ???_???d??????????????????????? V Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14748031483842280@SetupOperations ???? f????????????????`?@machine.inf,%*pnp0a03.devicedesc%;PCI bus?en_??????8????,????????????????????????????????????????????????H?@machine.inf,%intel_mfg%;Intel???????????????????????????j???????????????????????-?????????? NOEXECUTE=OPTIN?CUTE=OPTIN DEBUG DEBUGPORT=COM1 BAUDRATE=115200??????????????????????????????????????????????????????????????????????????????,???????????o???????????????????t??????????????4????.??????????????????????????iv??? ?????????????????????,??????????/?&????????????????????3??aswSP???????1????r???????s??? ??1????t????????????????????H??????,??????????? ?????????????????????0????????*???????????@cdrom.inf,%gencdrom_devdesc%;Stacja dysk?w CD-ROM??????? ?????????????????????-????????????&???????????????????????? ?????????????????????-??????????????????????:?????????????????????????????????????Port_#0006.Hub_#0004?_??????????????????????????????oem12.inf???????????????????????????????? *??????f??????????????midi4???????????????????USBSTOR\Disk?USBSTOR\RAW?????????????????k???j????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a27b10 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe85f83 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbe85f83@ccfe3c737856 0x50 0x6C 0xF6 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14748030817712280@SetupOperations ????????disk????? ???????B???????????S??????????P???$?????????????????????????N??S????????D?????{4D36E967-E325-11CE-BFC1-08002BE10318}???????? ??S???????e???S?S?S????P??S???????????d??disk.inf_amd64_neutral_4d9acdeddbcdfd89?????disk????? ???????B???????????S??????????P???$?????????????????????????N??S????????D?????{4D36E967-E325-11CE-BFC1-08002BE10318}???????? ??S???????e???S?S?S????P??S???????????d??disk.inf_amd64_neutral_4d9acdeddbcdfd89??????S?S?S??? ???????B???????????S??????????X?????????????????????N??S???4????Dral??{4D36E980-E325-11CE-BFC1-08002BE10318}?-BF???????S???2???e??sfloppy??&????X??S???0???????d??flpydisk.inf_amd64_neutral_f54222cc59267e1e?.i??vhdmp???? ???????B???????????S??????????R???/????????????????????????a????N??S???0????D?????{4D36E97B-E325-11CE-BFC1-08002BE10318}???????????S???????e???S?S?S????R??S???-???????d??vhdmp.inf_amd64_neutral_c3910bbf4fbccf97?d??????????? ?????????????T?????????????????? ?????????????? ???????S?????S???????????????????? ???????n????T?T?T??? ???????S?????S??? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14748031483842280@SetupOperations ????????????????????????????????????????? ???????????????????|?0????????????????????usb\composite???????????????????????@netvwifimp.inf,%msft%;Microsoft????????????????????????????????{5d624f94-8850-40c3-a3fa-a4fd2080baf3}\vwifimp??????@usbstor.inf,%genericbulkonly.devicedesc%;Urz?dzenie pami?ci masowej USB????? ?????????????????????-????????????????????? ?????????????????????-????????????????????????????????????????????????????????????????????????? ????????????????????N????????????D????????????????? ???????????????????s?0????????????????????????????????????? ???????????????? ????,??"????????????????????????????????????????????????????????????s????? ?????????????????????,?????????????????f??? ???????1???????????????????&??? ?????????????????????,??F?????????