GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-24 13:24:17 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721010CLA330 rev.JP4OA3MA 931,51GB Running: yivntzdb.exe; Driver: C:\Users\Pyko\AppData\Local\Temp\aftcyaod.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000049940480 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000049940470 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000049940360 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000049940490 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 00000000499403d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000049940310 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 00000000499403a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000049940380 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 00000000499402d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 00000000499402c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0xffffffffd20a2490} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000049940300 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 00000000499403b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000049940440 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 00000000499403e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000049940220 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 00000000499404a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000049940390 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 00000000499402e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000049940340 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000049940280 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 00000000499402a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0xffffffffd20a1e90} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 00000000499403c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0xffffffffd20a1f90} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000049940320 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000049940410 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000049940230 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 00000000499403f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 00000000499401d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000049940240 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 00000000499404b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 00000000499404c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 00000000499402f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000049940350 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000049940290 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 00000000499402b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000049940370 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000049940330 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000049940460 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000049940420 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000049940250 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0xffffffffd20a1390} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000049940260 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0xffffffffd20a1390} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000049940400 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 00000000499401e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000049940200 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 00000000499401f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000049940430 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000049940450 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000049940210 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000049940270 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000049940480 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000049940470 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000049940360 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000049940490 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 00000000499403d0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000049940310 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 00000000499403a0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000049940380 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 00000000499402d0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 00000000499402c0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0xffffffffd20a2490} .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000049940300 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 00000000499403b0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000049940440 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 00000000499403e0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000049940220 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 00000000499404a0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000049940390 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 00000000499402e0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000049940340 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000049940280 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 00000000499402a0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0xffffffffd20a1e90} .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 00000000499403c0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0xffffffffd20a1f90} .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000049940320 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000049940410 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000049940230 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 00000000499403f0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 00000000499401d0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000049940240 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 00000000499404b0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 00000000499404c0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 00000000499402f0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000049940350 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000049940290 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 00000000499402b0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000049940370 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000049940330 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000049940460 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000049940420 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000049940250 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0xffffffffd20a1390} .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000049940260 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0xffffffffd20a1390} .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000049940400 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 00000000499401e0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000049940200 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 00000000499401f0 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000049940430 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000049940450 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000049940210 .text C:\Windows\system32\csrss.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000049940270 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\lsass.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\lsm.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\System32\svchost.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\System32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\Dwm.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\Explorer.EXE[1592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\taskhost.exe[1956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[2028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[1472] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076698769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a01401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a01419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a01431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a0144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a014dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a014f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a0150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a01525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a0153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a01555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a0156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a01585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a0159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a015b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a015cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a016b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE[2888] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a016bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789da60 5 bytes JMP 0000000077a00480 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789dab0 5 bytes JMP 0000000077a00470 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007789dc10 5 bytes JMP 0000000077a00360 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007789dc60 5 bytes JMP 0000000077a00490 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007789dc70 5 bytes JMP 0000000077a003d0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007789dd20 5 bytes JMP 0000000077a00310 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007789dd50 5 bytes JMP 0000000077a003a0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007789dd70 5 bytes JMP 0000000077a00380 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007789ddb0 5 bytes JMP 0000000077a002d0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007789de30 1 byte JMP 0000000077a002c0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 000000007789de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007789de50 5 bytes JMP 0000000077a00300 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007789de90 5 bytes JMP 0000000077a003b0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007789ded0 5 bytes JMP 0000000077a00440 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007789dee0 5 bytes JMP 0000000077a003e0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007789e040 5 bytes JMP 0000000077a00220 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007789e200 5 bytes JMP 0000000077a004a0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007789e230 5 bytes JMP 0000000077a00390 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007789e310 5 bytes JMP 0000000077a002e0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007789e320 5 bytes JMP 0000000077a00340 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007789e380 5 bytes JMP 0000000077a00280 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007789e410 1 byte JMP 0000000077a002a0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 000000007789e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007789e430 1 byte JMP 0000000077a003c0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 000000007789e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007789e440 5 bytes JMP 0000000077a00320 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007789e4b0 5 bytes JMP 0000000077a00410 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007789e4e0 5 bytes JMP 0000000077a00230 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007789e680 5 bytes JMP 0000000077a003f0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007789e7a0 5 bytes JMP 0000000077a001d0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007789e860 5 bytes JMP 0000000077a00240 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007789e890 5 bytes JMP 0000000077a004b0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007789e8a0 5 bytes JMP 0000000077a004c0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007789e8d0 5 bytes JMP 0000000077a002f0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007789e8e0 5 bytes JMP 0000000077a00350 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007789e940 5 bytes JMP 0000000077a00290 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007789e990 5 bytes JMP 0000000077a002b0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007789e9c0 5 bytes JMP 0000000077a00370 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007789e9d0 5 bytes JMP 0000000077a00330 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007789ecc0 5 bytes JMP 0000000077a00460 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007789ee20 5 bytes JMP 0000000077a00420 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007789eec0 1 byte JMP 0000000077a00250 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 000000007789eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007789eed0 1 byte JMP 0000000077a00260 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 000000007789eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007789eee0 5 bytes JMP 0000000077a00400 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007789f0a0 5 bytes JMP 0000000077a001e0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007789f0b0 5 bytes JMP 0000000077a00200 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007789f120 5 bytes JMP 0000000077a001f0 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007789f180 5 bytes JMP 0000000077a00430 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007789f190 5 bytes JMP 0000000077a00450 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007789f1a0 5 bytes JMP 0000000077a00210 .text C:\Windows\System32\svchost.exe[4252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007789f280 5 bytes JMP 0000000077a00270 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamW 000000007544cbf3 5 bytes JMP 000000000020be58 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!DialogBoxParamW 000000007544cfca 5 bytes JMP 000000000020be40 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!DialogBoxParamA 000000007546cb0c 5 bytes JMP 000000000020be34 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamA 000000007546ce64 5 bytes JMP 000000000020be4c .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!MessageBoxIndirectA 000000007547fbd1 5 bytes JMP 000000000020bc78 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!MessageBoxIndirectW 000000007547fc9d 5 bytes JMP 000000000020bd60 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!MessageBoxExA 000000007547fcd6 5 bytes JMP 000000000020b8d4 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!MessageBoxExW 000000007547fcfa 5 bytes JMP 000000000020b8e0 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!MessageBoxA 000000007547fd1e 5 bytes JMP 000000000020b8ec .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\user32.dll!MessageBoxW 000000007547fd3f 5 bytes JMP 000000000020baa8 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a01401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a01419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a01431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a0144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a014dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a014f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a0150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a01525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a0153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a01555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a0156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a01585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a0159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a015b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a015cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a016b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4356] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a016bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamW 000000007544cbf3 5 bytes JMP 000000000022be58 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!DialogBoxParamW 000000007544cfca 5 bytes JMP 000000000022be40 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!DialogBoxParamA 000000007546cb0c 5 bytes JMP 000000000022be34 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!DialogBoxIndirectParamA 000000007546ce64 5 bytes JMP 000000000022be4c .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!MessageBoxIndirectA 000000007547fbd1 5 bytes JMP 000000000022bc78 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!MessageBoxIndirectW 000000007547fc9d 5 bytes JMP 000000000022bd60 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!MessageBoxExA 000000007547fcd6 5 bytes JMP 000000000022b8d4 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!MessageBoxExW 000000007547fcfa 5 bytes JMP 000000000022b8e0 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!MessageBoxA 000000007547fd1e 5 bytes JMP 000000000022b8ec .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\user32.dll!MessageBoxW 000000007547fd3f 5 bytes JMP 000000000022baa8 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\SysWOW64\wsock32.dll!recv + 82 0000000073ab17fa 2 bytes CALL 766911a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\SysWOW64\wsock32.dll!recvfrom + 88 0000000073ab1860 2 bytes CALL 766911a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 98 0000000073ab1942 2 bytes JMP 768d7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\SysWOW64\wsock32.dll!setsockopt + 109 0000000073ab194d 2 bytes JMP 768dcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077a01401 2 bytes JMP 766bb20b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077a01419 2 bytes JMP 766bb336 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077a01431 2 bytes JMP 76738f39 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077a0144a 2 bytes CALL 76694885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077a014dd 2 bytes JMP 76738832 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077a014f5 2 bytes JMP 76738a08 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077a0150d 2 bytes JMP 76738728 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077a01525 2 bytes JMP 76738af2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077a0153d 2 bytes JMP 766afc98 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077a01555 2 bytes JMP 766b68df C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077a0156d 2 bytes JMP 76738ff1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077a01585 2 bytes JMP 76738b52 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077a0159d 2 bytes JMP 767386ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077a015b5 2 bytes JMP 766afd31 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077a015cd 2 bytes JMP 766bb2cc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077a016b2 2 bytes JMP 76738eb4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4432] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077a016bd 2 bytes JMP 76738681 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14734364851682280@SetupOperations ?????T???????????$???????????????????????????????????/???;??su???????g??? ??????LegacyDriver?????????????????????l??\\?\USB#VID_09DA&PID_8090#6&182a12da&0&7#{a5dcbf10-6530-11d2-901f-00c04fb951ed}?????{4d36e97d-e325-11ce-bfc1-08002be10318}\0044?????multi(0)disk(0)rdisk(0)partition(2)?????????????????T??????????????????????????????????????????????????????????????????????????????????s???????s????MTP?????@machine.inf,%gendev_mfg%;(Standardowe urz?dzenia systemowe)????????????????????????*pnp0c02????? ?????????????????????0????????????????????? ??????????????????????????????????????????????? ?????????????????????0????????????????????????????????????*pnp0c02????? ?????????????????????0????????????????????? ?????????????????????0????????????????????????????????????????????????????????????????????? ???????~?????????????0????????????????????? ?????????????????????0????????????????????????????machine.inf:GENDEV_SYS.NTamd64:NO_DRV_MBRES:6.1.7601.17514:*pnp0c02?V_??????6.???????????5??pn??????????????????? *???????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14734365725912280@SetupOperations ???t?????z?z?k??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ??????????? ???IS\0000?????rspndr???????e??????????????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ????????????????????????????????~???f?f?f???e?e?e???$???d??????????????????????????ACPI_Inst???machine.inf??????????????e?e?e??????????????????????????????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???????????????????????????????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???????????????????????????????????? ???????????4??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ???????????????????????????????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ?????????????????????????????"??d???2??10???f?f?~??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ?????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14734364851682280@SetupOperations ?????????????????????????????????????????????????????????????????????? ?????????ln??? ???????|???????~???????????????????????.???????3??????????????{4d36e967-e325-11ce-bfc1-08002be10318}\0000?????RPCSS??ste??s????????s???v???????v??????????????????{4d36e967-e325-11ce-bfc1-08002be10318}?ast??????????????????????????????USB\VID_0BC2&PID_3008&REV_0138?USB\VID_0BC2&PID_3008?????????????????????????????e????X???????????????4??????\??ss??6-21-2006???????????Port_#0005.Hub_#0001?y???????????????????3??????? l??????/?????/?/??????????????????{36fc9e60-c465-11cf-8056-444553540000}\0007??????????????????????&??????????????????????{32892953-1966-5df6-9e73-abd47ac5fc77}?FF\?????????????????????????????????????????????t?????v??????????? ???????u????????????N??????/???????/??generic_hid_device??????8.8.8.8,8.8.4.4??????v???????.??????????????????e???storage\volume???????????????????????????????????????????????????&????????????????????????X?????????????6.1.7601.17514??????????????? ??B???B????????&????????????????????N???? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14734365725912280@SetupOperations ?????i????????????????????P?avast! StreamFilter Callout Driver????????*??????i?????????n?l????????F???????????x?@oem21.inf,%mfg%;Canon?tio@??b8????????????????????????????????????????????s??????????????????????????????????al U???????????D??ic??umbus.inf_amd64_neutral_694fa3d3c00382f7??0??a?z???z?????????????v??????so??? 4??????f????????h?{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\0032??????????????&??? ???????,???????????,?:????????h??????-8E??Sterownik prze??cznika kontrolera hosta Intel(R) USB 3.0??????????????????????????????X??????????????????????{???????????/???????????????????????!???5????????X?{6bdd1fc6-810f-11d0-bec7-08002be2092f}?uz1??WINUSB.INF???k???????????????????????????s??6-21-2006?????N????????????D???????????????`???????????????????? ??????????? ????????????????f?g?w?z?{?????f?g????????????????????????????????L???????????????????????????????(??y?y?z?z?z?y?????????????????I???????????????????\???\????????P??U???e?x?????m???????z?|?|??????????????? ???????????????????????l???-???????.(??z?{?|?|?|? ---- EOF - GMER 2.2 ----