GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-05 10:18:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500LM0 rev.2AR1 465,76GB Running: k0cyn52d.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kfldapob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\windows\System32\win32k.sys!EngSetLastError + 608 fffff960000c5870 8 bytes [F4, C1, 49, 04, 80, F8, FF, ...] .text C:\windows\System32\win32k.sys!W32pServiceTable fffff960000f5000 7 bytes [C0, 82, F3, FF, C1, 91, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000f5008 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 0000000049c70480 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 0000000049c70470 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 0000000049c70360 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 0000000049c70490 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 0000000049c703d0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 0000000049c70310 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 0000000049c703a0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 0000000049c70380 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 0000000049c702d0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 0000000049c702c0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0xffffffffd2b22490} .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 0000000049c70300 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 0000000049c703b0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 0000000049c70440 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 0000000049c703e0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 0000000049c70220 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 0000000049c704a0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 0000000049c70390 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 0000000049c702e0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 0000000049c70340 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 0000000049c70280 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 0000000049c702a0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0xffffffffd2b21e90} .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 0000000049c703c0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0xffffffffd2b21f90} .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 0000000049c70320 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 0000000049c70410 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 0000000049c70230 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 0000000049c703f0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 0000000049c701d0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 0000000049c70240 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 0000000049c704b0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 0000000049c704c0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 0000000049c702f0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 0000000049c70350 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 0000000049c70290 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 0000000049c702b0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 0000000049c70370 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 0000000049c70330 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 0000000049c70460 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 0000000049c70420 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 0000000049c70250 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0xffffffffd2b21390} .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 0000000049c70260 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0xffffffffd2b21390} .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 0000000049c70400 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 0000000049c701e0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 0000000049c70200 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 0000000049c701f0 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 0000000049c70430 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 0000000049c70450 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 0000000049c70210 .text C:\windows\system32\csrss.exe[484] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 0000000049c70270 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 0000000049c70480 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 0000000049c70470 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 0000000049c70360 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 0000000049c70490 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 0000000049c703d0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 0000000049c70310 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 0000000049c703a0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 0000000049c70380 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 0000000049c702d0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 0000000049c702c0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0xffffffffd2b22490} .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 0000000049c70300 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 0000000049c703b0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 0000000049c70440 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 0000000049c703e0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 0000000049c70220 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 0000000049c704a0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 0000000049c70390 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 0000000049c702e0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 0000000049c70340 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 0000000049c70280 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 0000000049c702a0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0xffffffffd2b21e90} .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 0000000049c703c0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0xffffffffd2b21f90} .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 0000000049c70320 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 0000000049c70410 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 0000000049c70230 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 0000000049c703f0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 0000000049c701d0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 0000000049c70240 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 0000000049c704b0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 0000000049c704c0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 0000000049c702f0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 0000000049c70350 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 0000000049c70290 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 0000000049c702b0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 0000000049c70370 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 0000000049c70330 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 0000000049c70460 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 0000000049c70420 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 0000000049c70250 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0xffffffffd2b21390} .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 0000000049c70260 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0xffffffffd2b21390} .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 0000000049c70400 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 0000000049c701e0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 0000000049c70200 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 0000000049c701f0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 0000000049c70430 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 0000000049c70450 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 0000000049c70210 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 0000000049c70270 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\lsass.exe[672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\lsm.exe[680] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[780] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 0000000000070480 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 0000000000070470 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 0000000000070360 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 0000000000070490 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000000703d0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 0000000000070310 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000000703a0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 0000000000070380 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000000702c0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0xffffffff88f22490} .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 0000000000070300 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000000703b0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 0000000000070440 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000000703e0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 0000000000070220 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000000704a0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 0000000000070390 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000000702e0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 0000000000070340 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 0000000000070280 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000000702a0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0xffffffff88f21e90} .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000000703c0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0xffffffff88f21f90} .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 0000000000070320 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 0000000000070410 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 0000000000070230 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000000703f0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 0000000000070240 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000000704b0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 0000000000070350 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 0000000000070290 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000000702b0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 0000000000070370 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 0000000000070330 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 0000000000070460 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 0000000000070420 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 0000000000070250 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0xffffffff88f21390} .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 0000000000070260 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0xffffffff88f21390} .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 0000000000070400 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 0000000000070200 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000000701f0 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 0000000000070430 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 0000000000070450 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 0000000000070210 .text C:\windows\system32\svchost.exe[880] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 0000000000070270 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 0000000000070480 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 0000000000070470 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 0000000000070360 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 0000000000070490 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000000703d0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 0000000000070310 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000000703a0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 0000000000070380 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000000702c0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0xffffffff88f22490} .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 0000000000070300 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000000703b0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 0000000000070440 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000000703e0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 0000000000070220 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000000704a0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 0000000000070390 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000000702e0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 0000000000070340 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 0000000000070280 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000000702a0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0xffffffff88f21e90} .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000000703c0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0xffffffff88f21f90} .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 0000000000070320 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 0000000000070410 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 0000000000070230 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000000703f0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 0000000000070240 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000000704b0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 0000000000070350 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 0000000000070290 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000000702b0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 0000000000070370 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 0000000000070330 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 0000000000070460 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 0000000000070420 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 0000000000070250 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0xffffffff88f21390} .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 0000000000070260 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0xffffffff88f21390} .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 0000000000070400 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 0000000000070200 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000000701f0 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 0000000000070430 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 0000000000070450 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 0000000000070210 .text C:\windows\System32\svchost.exe[408] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 0000000000070270 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 0000000000070480 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 0000000000070470 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 0000000000070360 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 0000000000070490 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000000703d0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 0000000000070310 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000000703a0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 0000000000070380 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000000702d0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000000702c0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0xffffffff88f22490} .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 0000000000070300 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000000703b0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 0000000000070440 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000000703e0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 0000000000070220 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000000704a0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 0000000000070390 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000000702e0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 0000000000070340 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 0000000000070280 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000000702a0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0xffffffff88f21e90} .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000000703c0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0xffffffff88f21f90} .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 0000000000070320 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 0000000000070410 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 0000000000070230 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000000703f0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000000701d0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 0000000000070240 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000000704b0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000000704c0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000000702f0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 0000000000070350 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 0000000000070290 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000000702b0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 0000000000070370 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 0000000000070330 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 0000000000070460 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 0000000000070420 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 0000000000070250 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0xffffffff88f21390} .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 0000000000070260 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0xffffffff88f21390} .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 0000000000070400 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000000701e0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 0000000000070200 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000000701f0 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 0000000000070430 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 0000000000070450 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 0000000000070210 .text C:\windows\system32\svchost.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 0000000000070270 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1172] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1628] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\taskhost.exe[1968] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\Dwm.exe[2068] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\Explorer.EXE[2120] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b11401 2 bytes JMP 754fb20b C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b11419 2 bytes JMP 754fb336 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b11431 2 bytes JMP 75578f39 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b1144a 2 bytes CALL 754d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b114dd 2 bytes JMP 75578832 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b114f5 2 bytes JMP 75578a08 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b1150d 2 bytes JMP 75578728 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b11525 2 bytes JMP 75578af2 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b1153d 2 bytes JMP 754efc98 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b11555 2 bytes JMP 754f68df C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b1156d 2 bytes JMP 75578ff1 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b11585 2 bytes JMP 75578b52 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b1159d 2 bytes JMP 755786ec C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b115b5 2 bytes JMP 754efd31 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b115cd 2 bytes JMP 754fb2cc C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b116b2 2 bytes JMP 75578eb4 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\RunDll32.exe[3044] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b116bd 2 bytes JMP 75578681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b11401 2 bytes JMP 754fb20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b11419 2 bytes JMP 754fb336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b11431 2 bytes JMP 75578f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b1144a 2 bytes CALL 754d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b114dd 2 bytes JMP 75578832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b114f5 2 bytes JMP 75578a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b1150d 2 bytes JMP 75578728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b11525 2 bytes JMP 75578af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b1153d 2 bytes JMP 754efc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b11555 2 bytes JMP 754f68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b1156d 2 bytes JMP 75578ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b11585 2 bytes JMP 75578b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b1159d 2 bytes JMP 755786ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b115b5 2 bytes JMP 754efd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b115cd 2 bytes JMP 754fb2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b116b2 2 bytes JMP 75578eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe[1200] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b116bd 2 bytes JMP 75578681 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b11401 2 bytes JMP 754fb20b C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b11419 2 bytes JMP 754fb336 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b11431 2 bytes JMP 75578f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b1144a 2 bytes CALL 754d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b114dd 2 bytes JMP 75578832 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b114f5 2 bytes JMP 75578a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b1150d 2 bytes JMP 75578728 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b11525 2 bytes JMP 75578af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b1153d 2 bytes JMP 754efc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b11555 2 bytes JMP 754f68df C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b1156d 2 bytes JMP 75578ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b11585 2 bytes JMP 75578b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b1159d 2 bytes JMP 755786ec C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b115b5 2 bytes JMP 754efd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b115cd 2 bytes JMP 754fb2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b116b2 2 bytes JMP 75578eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[2176] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b116bd 2 bytes JMP 75578681 C:\windows\syswow64\kernel32.dll .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[3128] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\svchost.exe[1416] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\System32\svchost.exe[4228] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000754d8769 5 bytes [33, C0, C2, 04, 00] .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b11401 2 bytes JMP 754fb20b C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b11419 2 bytes JMP 754fb336 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b11431 2 bytes JMP 75578f39 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b1144a 2 bytes CALL 754d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b114dd 2 bytes JMP 75578832 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b114f5 2 bytes JMP 75578a08 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b1150d 2 bytes JMP 75578728 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b11525 2 bytes JMP 75578af2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b1153d 2 bytes JMP 754efc98 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b11555 2 bytes JMP 754f68df C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b1156d 2 bytes JMP 75578ff1 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b11585 2 bytes JMP 75578b52 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b1159d 2 bytes JMP 755786ec C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b115b5 2 bytes JMP 754efd31 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b115cd 2 bytes JMP 754fb2cc C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b116b2 2 bytes JMP 75578eb4 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\AppData\Local\Autodesk\.AdskAppManager\R1\AdAppMgr.exe[4724] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b116bd 2 bytes JMP 75578681 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007714da60 5 bytes JMP 00000000772b0480 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007714dab0 5 bytes JMP 00000000772b0470 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007714dc10 5 bytes JMP 00000000772b0360 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007714dc60 5 bytes JMP 00000000772b0490 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007714dc70 5 bytes JMP 00000000772b03d0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007714dd20 5 bytes JMP 00000000772b0310 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007714dd50 5 bytes JMP 00000000772b03a0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007714dd70 5 bytes JMP 00000000772b0380 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007714ddb0 5 bytes JMP 00000000772b02d0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007714de30 1 byte JMP 00000000772b02c0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007714de32 3 bytes {JMP 0x162490} .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007714de50 5 bytes JMP 00000000772b0300 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007714de90 5 bytes JMP 00000000772b03b0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007714ded0 5 bytes JMP 00000000772b0440 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007714dee0 5 bytes JMP 00000000772b03e0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007714e040 5 bytes JMP 00000000772b0220 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007714e200 5 bytes JMP 00000000772b04a0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007714e230 5 bytes JMP 00000000772b0390 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007714e310 5 bytes JMP 00000000772b02e0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007714e320 5 bytes JMP 00000000772b0340 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007714e380 5 bytes JMP 00000000772b0280 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007714e410 1 byte JMP 00000000772b02a0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007714e412 3 bytes {JMP 0x161e90} .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007714e430 1 byte JMP 00000000772b03c0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007714e432 3 bytes {JMP 0x161f90} .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007714e440 5 bytes JMP 00000000772b0320 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007714e4b0 5 bytes JMP 00000000772b0410 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007714e4e0 5 bytes JMP 00000000772b0230 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007714e680 5 bytes JMP 00000000772b03f0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007714e7a0 5 bytes JMP 00000000772b01d0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007714e860 5 bytes JMP 00000000772b0240 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007714e890 5 bytes JMP 00000000772b04b0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007714e8a0 5 bytes JMP 00000000772b04c0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007714e8d0 5 bytes JMP 00000000772b02f0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007714e8e0 5 bytes JMP 00000000772b0350 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007714e940 5 bytes JMP 00000000772b0290 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007714e990 5 bytes JMP 00000000772b02b0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007714e9c0 5 bytes JMP 00000000772b0370 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007714e9d0 5 bytes JMP 00000000772b0330 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007714ecc0 5 bytes JMP 00000000772b0460 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007714ee20 5 bytes JMP 00000000772b0420 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007714eec0 1 byte JMP 00000000772b0250 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007714eec2 3 bytes {JMP 0x161390} .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007714eed0 1 byte JMP 00000000772b0260 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007714eed2 3 bytes {JMP 0x161390} .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007714eee0 5 bytes JMP 00000000772b0400 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007714f0a0 5 bytes JMP 00000000772b01e0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007714f0b0 5 bytes JMP 00000000772b0200 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007714f120 5 bytes JMP 00000000772b01f0 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007714f180 5 bytes JMP 00000000772b0430 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007714f190 5 bytes JMP 00000000772b0450 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007714f1a0 5 bytes JMP 00000000772b0210 .text C:\windows\system32\wbem\wmiprvse.exe[3324] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007714f280 5 bytes JMP 00000000772b0270 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b11401 2 bytes JMP 754fb20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b11419 2 bytes JMP 754fb336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b11431 2 bytes JMP 75578f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b1144a 2 bytes CALL 754d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b114dd 2 bytes JMP 75578832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b114f5 2 bytes JMP 75578a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b1150d 2 bytes JMP 75578728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b11525 2 bytes JMP 75578af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b1153d 2 bytes JMP 754efc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b11555 2 bytes JMP 754f68df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b1156d 2 bytes JMP 75578ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b11585 2 bytes JMP 75578b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b1159d 2 bytes JMP 755786ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b115b5 2 bytes JMP 754efd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b115cd 2 bytes JMP 754fb2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b116b2 2 bytes JMP 75578eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[3764] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b116bd 2 bytes JMP 75578681 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074b11401 2 bytes JMP 754fb20b C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074b11419 2 bytes JMP 754fb336 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074b11431 2 bytes JMP 75578f39 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074b1144a 2 bytes CALL 754d4885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074b114dd 2 bytes JMP 75578832 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074b114f5 2 bytes JMP 75578a08 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074b1150d 2 bytes JMP 75578728 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074b11525 2 bytes JMP 75578af2 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074b1153d 2 bytes JMP 754efc98 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074b11555 2 bytes JMP 754f68df C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074b1156d 2 bytes JMP 75578ff1 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074b11585 2 bytes JMP 75578b52 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074b1159d 2 bytes JMP 755786ec C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074b115b5 2 bytes JMP 754efd31 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074b115cd 2 bytes JMP 754fb2cc C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074b116b2 2 bytes JMP 75578eb4 C:\windows\syswow64\kernel32.dll .text C:\Users\Marcin\Desktop\GMER\k0cyn52d.exe[3340] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074b116bd 2 bytes JMP 75578681 C:\windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\wscript.exe [2740:4840] 000007fefa041ebc Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2920:2096] 000007fefbad2ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2920:3936] 000007fee8d65648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2920:3316] 000007fef0145124 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{69FA26E6-F87B-4C10-8981-6E287B29CB32}\Connection@Name isatap.{12737FB4-974E-4D54-B008-6A841A7D1892} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{115CB76E-4E22-483F-AA95-B2F0A3B86610}?\Device\{69FA26E6-F87B-4C10-8981-6E287B29CB32}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{115CB76E-4E22-483F-AA95-B2F0A3B86610}"?"{69FA26E6-F87B-4C10-8981-6E287B29CB32}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{115CB76E-4E22-483F-AA95-B2F0A3B86610}?\Device\TCPIP6TUNNEL_{69FA26E6-F87B-4C10-8981-6E287B29CB32}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\7ce9d3c986f8 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{69FA26E6-F87B-4C10-8981-6E287B29CB32}@InterfaceName isatap.{12737FB4-974E-4D54-B008-6A841A7D1892} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{69FA26E6-F87B-4C10-8981-6E287B29CB32}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\7ce9d3c986f8 (not active ControlSet) ---- EOF - GMER 2.2 ----