GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-30 14:15:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.03.0 465,76GB Running: tmc84lwb.exe; Driver: C:\Users\Rafal\AppData\Local\Temp\kglorpow.sys ---- User code sections - GMER 2.2 ---- .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000049e70480 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000049e70470 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000049e70360 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000049e70490 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 0000000049e703d0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000049e70310 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 0000000049e703a0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000049e70380 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0xffffffffd2cd4490} .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 0000000049e702d0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 0000000049e702c0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000049e70300 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 0000000049e703b0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000049e70440 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 0000000049e703e0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000049e70220 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 0000000049e704a0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000049e70390 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 0000000049e702e0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000049e70340 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000049e70280 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 0000000049e702a0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 0000000049e703c0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000049e70320 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000049e70410 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000049e70230 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 0000000049e703f0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 0000000049e701d0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000049e70240 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 0000000049e704b0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 0000000049e704c0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 0000000049e702f0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000049e70350 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000049e70290 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 0000000049e702b0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000049e70370 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000049e70330 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000049e70460 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000049e70420 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000049e70250 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000049e70260 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000049e70400 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 0000000049e701e0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000049e70200 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 0000000049e701f0 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000049e70430 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000049e70450 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000049e70210 .text C:\windows\system32\csrss.exe[544] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000049e70270 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000049e70480 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000049e70470 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000049e70360 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000049e70490 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 0000000049e703d0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000049e70310 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 0000000049e703a0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000049e70380 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0xffffffffd2cd4490} .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 0000000049e702d0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 0000000049e702c0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000049e70300 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 0000000049e703b0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000049e70440 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 0000000049e703e0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000049e70220 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 0000000049e704a0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000049e70390 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 0000000049e702e0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000049e70340 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000049e70280 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 0000000049e702a0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 0000000049e703c0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000049e70320 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000049e70410 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000049e70230 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 0000000049e703f0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 0000000049e701d0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000049e70240 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 0000000049e704b0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 0000000049e704c0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 0000000049e702f0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000049e70350 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000049e70290 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 0000000049e702b0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000049e70370 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000049e70330 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000049e70460 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000049e70420 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000049e70250 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000049e70260 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000049e70400 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 0000000049e701e0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000049e70200 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 0000000049e701f0 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000049e70430 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000049e70450 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000049e70210 .text C:\windows\system32\csrss.exe[632] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000049e70270 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000000070480 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000000070470 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000000070360 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000000070490 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000000703d0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000000070310 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000000703a0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000000070380 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0xffffffff88ed4490} .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000000702d0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000000702c0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000000070300 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000000703b0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000000070440 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000000703e0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000000070220 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000000704a0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000000070390 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000000702e0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000000070340 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000000070280 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000000702a0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000000703c0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000000070320 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000000070410 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000000070230 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000000703f0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000000701d0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000000070240 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000000704b0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000000704c0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000000702f0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000000070350 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000000070290 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000000702b0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000000070370 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000000070330 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000000070460 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000000070420 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000000070250 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000000070260 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000000070400 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000000701e0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000000070200 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000000701f0 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000000070430 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000000070450 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000000070210 .text C:\windows\system32\lsass.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000000070270 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\lsm.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[832] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[924] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\System32\svchost.exe[1008] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[564] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[420] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[1264] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[1636] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\System32\svchost.exe[1436] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[1476] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\SysWOW64\PnkBstrA.exe[2128] C:\windows\SysWOW64\WSOCK32.dll!recv + 82 0000000072f217fa 2 bytes CALL 76e311a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2128] C:\windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072f21860 2 bytes CALL 76e311a9 C:\windows\syswow64\kernel32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2128] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072f21942 2 bytes JMP 76816da1 C:\windows\syswow64\WS2_32.dll .text C:\windows\SysWOW64\PnkBstrA.exe[2128] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000072f2194d 2 bytes JMP 7681e8de C:\windows\syswow64\WS2_32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[2152] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\svchost.exe[3064] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000000070480 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000000070470 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000000070360 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000000070490 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000000703d0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000000070310 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000000703a0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000000070380 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0xffffffff88ed4490} .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000000702d0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000000702c0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000000070300 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000000703b0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000000070440 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000000703e0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000000070220 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000000704a0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000000070390 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000000702e0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000000070340 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000000070280 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000000702a0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000000703c0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000000070320 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000000070410 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000000070230 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000000703f0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000000701d0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000000070240 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000000704b0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000000704c0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000000702f0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000000070350 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000000070290 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000000702b0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000000070370 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000000070330 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000000070460 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000000070420 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000000070250 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000000070260 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000000070400 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000000701e0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000000070200 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000000701f0 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000000070430 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000000070450 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000000070210 .text C:\windows\system32\svchost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000000070270 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\taskhost.exe[1900] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\Explorer.EXE[3944] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\Dwm.exe[3460] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[2988] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\KERNEL32.dll .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\system32\wbem\wmiprvse.exe[2228] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\RocketDock\RocketDock.exe[4028] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\kernel32.dll .text C:\Users\Rafal\AppData\Local\FluxSoftware\Flux\flux.exe[4184] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4820] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\KERNEL32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e38791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4860] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074fa1401 2 bytes JMP 76e5b263 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074fa1419 2 bytes JMP 76e5b38e C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074fa1431 2 bytes JMP 76ed90f1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074fa144a 2 bytes CALL 76e348ad C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074fa14dd 2 bytes JMP 76ed89ea C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074fa14f5 2 bytes JMP 76ed8bc0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074fa150d 2 bytes JMP 76ed88e0 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074fa1525 2 bytes JMP 76ed8caa C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074fa153d 2 bytes JMP 76e4fce8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074fa1555 2 bytes JMP 76e56937 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074fa156d 2 bytes JMP 76ed91a9 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074fa1585 2 bytes JMP 76ed8d0a C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074fa159d 2 bytes JMP 76ed88a4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074fa15b5 2 bytes JMP 76e4fd81 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074fa15cd 2 bytes JMP 76e5b324 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074fa16b2 2 bytes JMP 76ed906c C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5000] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074fa16bd 2 bytes JMP 76ed8839 C:\windows\syswow64\kernel32.dll .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007719bbe0 5 bytes JMP 0000000077300480 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007719bc30 5 bytes JMP 0000000077300470 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007719bd90 5 bytes JMP 0000000077300360 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007719bde0 5 bytes JMP 0000000077300490 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007719bdf0 5 bytes JMP 00000000773003d0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007719bea0 5 bytes JMP 0000000077300310 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007719bed0 5 bytes JMP 00000000773003a0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007719bef0 1 byte JMP 0000000077300380 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 000000007719bef2 3 bytes {JMP 0x164490} .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007719bf30 5 bytes JMP 00000000773002d0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007719bfb0 5 bytes JMP 00000000773002c0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007719bfd0 5 bytes JMP 0000000077300300 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007719c010 5 bytes JMP 00000000773003b0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 000000007719c050 5 bytes JMP 0000000077300440 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007719c060 5 bytes JMP 00000000773003e0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007719c1c0 5 bytes JMP 0000000077300220 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007719c380 5 bytes JMP 00000000773004a0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007719c3b0 5 bytes JMP 0000000077300390 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 000000007719c490 5 bytes JMP 00000000773002e0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007719c4a0 5 bytes JMP 0000000077300340 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007719c500 5 bytes JMP 0000000077300280 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007719c590 5 bytes JMP 00000000773002a0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 000000007719c5b0 5 bytes JMP 00000000773003c0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007719c5c0 5 bytes JMP 0000000077300320 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 000000007719c630 5 bytes JMP 0000000077300410 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 000000007719c660 5 bytes JMP 0000000077300230 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 000000007719c800 5 bytes JMP 00000000773003f0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 000000007719c920 5 bytes JMP 00000000773001d0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 000000007719c9e0 5 bytes JMP 0000000077300240 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 000000007719ca10 5 bytes JMP 00000000773004b0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 000000007719ca20 5 bytes JMP 00000000773004c0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 000000007719ca50 5 bytes JMP 00000000773002f0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007719ca60 5 bytes JMP 0000000077300350 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007719cac0 5 bytes JMP 0000000077300290 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007719cb10 5 bytes JMP 00000000773002b0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 000000007719cb40 5 bytes JMP 0000000077300370 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007719cb50 5 bytes JMP 0000000077300330 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 000000007719ce40 5 bytes JMP 0000000077300460 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 000000007719cfa0 5 bytes JMP 0000000077300420 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 000000007719d040 5 bytes JMP 0000000077300250 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 000000007719d050 5 bytes JMP 0000000077300260 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 000000007719d060 5 bytes JMP 0000000077300400 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 000000007719d220 5 bytes JMP 00000000773001e0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 000000007719d230 5 bytes JMP 0000000077300200 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 000000007719d2a0 5 bytes JMP 00000000773001f0 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 000000007719d300 5 bytes JMP 0000000077300430 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 000000007719d310 5 bytes JMP 0000000077300450 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 000000007719d320 5 bytes JMP 0000000077300210 .text C:\windows\System32\svchost.exe[2444] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 000000007719d400 5 bytes JMP 0000000077300270 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001009e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001009c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800100a614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800100aa10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800100a86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\aqv5x29g \Device\Scsi\aqv5x29g1 fffffa80083bb2c0 Device \Driver\aqv5x29g \Device\Scsi\aqv5x29g1Port1Path0Target0Lun0 fffffa80083bb2c0 Device \FileSystem\Ntfs \Ntfs fffffa80058832c0 Device \FileSystem\fastfat \Fat fffffa800a0f72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{85FB1751-984B-4AC5-8FD4-46ADE5233549} fffffa8007dff2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80081072c0 Device \Driver\cdrom \Device\CdRom0 fffffa80079262c0 Device \Driver\cdrom \Device\CdRom1 fffffa80079262c0 Device \Driver\cdrom \Device\CdRom2 fffffa80079262c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80081072c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8007dd52c0 Device \Driver\dtsoftbus01 \Device\00000081 fffffa8007dd52c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80081072c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{D75CF597-FC0B-4C28-B228-8903583FD0CA} fffffa8007dff2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007dff2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80081072c0 Device \Driver\aqv5x29g \Device\ScsiPort1 fffffa80083bb2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A4BE440E-CA92-4BBF-BB9E-BF46B3789B52} fffffa8007dff2c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\aqv5x29g.SYS fffff88010392000-fffff880103e3000 (331776 bytes) ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833556768962280@SetupOperations ????????????????? ?????????????????????0????????????????????????????????????????? ?????????????????????0????????"???????????6.1.7600.16385??????????????????????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????,????????L??? ???????????????????????? ?????????????????????0????????????????????????!????????????????????6???e??? ?????????????????????0????????????????????system32\DRIVERS\VBoxNetAdp.sys?????????????? ?????????????????????0??????????????????????*??????????????????????????&??? ?????????????????????0??????????????????????@???????????h?????6-21-2006???? ?????????????????????0????????????????????? ??????????????????????????? ?????????????????????0?????????????????????????????