GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-11-04 18:11:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: gmer.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!EngSetLastError + 608 fffff960000b5600 8 bytes [7C, 85, A5, 05, 80, F8, FF, ...] .text C:\windows\System32\win32k.sys!W32pServiceTable fffff960000e4d00 7 bytes [C0, 83, F3, FF, C1, 94, F0] .text C:\windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000e4d08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000149cb0480 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000149cb0470 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000149cb0360 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000149cb0490 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 0000000149cb03d0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000149cb0310 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 0000000149cb03a0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000149cb0380 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 0000000149cb02d0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 0000000149cb02c0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0xffffffffd28e2290} .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000149cb0300 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 0000000149cb03b0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000149cb0440 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 0000000149cb03e0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000149cb0220 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 0000000149cb04a0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000149cb0390 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 0000000149cb02e0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000149cb0340 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000149cb0280 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 0000000149cb02a0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0xffffffffd28e1c90} .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 0000000149cb03c0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0xffffffffd28e1d90} .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000149cb0320 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000149cb0410 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000149cb0230 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 0000000149cb03f0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 0000000149cb01d0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000149cb0240 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 0000000149cb04b0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 0000000149cb04c0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 0000000149cb02f0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000149cb0350 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000149cb0290 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 0000000149cb02b0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000149cb0370 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000149cb0330 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000149cb0460 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000149cb0420 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000149cb0250 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0xffffffffd28e1190} .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000149cb0260 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0xffffffffd28e1190} .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000149cb0400 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 0000000149cb01e0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000149cb0200 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 0000000149cb01f0 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000149cb0430 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000149cb0450 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000149cb0210 .text C:\windows\system32\csrss.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000149cb0270 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000149cb0480 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000149cb0470 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000149cb0360 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000149cb0490 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 0000000149cb03d0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000149cb0310 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 0000000149cb03a0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000149cb0380 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 0000000149cb02d0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 0000000149cb02c0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0xffffffffd28e2290} .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000149cb0300 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 0000000149cb03b0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000149cb0440 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 0000000149cb03e0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000149cb0220 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 0000000149cb04a0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000149cb0390 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 0000000149cb02e0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000149cb0340 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000149cb0280 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 0000000149cb02a0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0xffffffffd28e1c90} .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 0000000149cb03c0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0xffffffffd28e1d90} .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000149cb0320 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000149cb0410 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000149cb0230 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 0000000149cb03f0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 0000000149cb01d0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000149cb0240 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 0000000149cb04b0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 0000000149cb04c0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 0000000149cb02f0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000149cb0350 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000149cb0290 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 0000000149cb02b0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000149cb0370 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000149cb0330 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000149cb0460 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000149cb0420 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000149cb0250 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0xffffffffd28e1190} .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000149cb0260 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0xffffffffd28e1190} .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000149cb0400 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 0000000149cb01e0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000149cb0200 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 0000000149cb01f0 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000149cb0430 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000149cb0450 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000149cb0210 .text C:\windows\system32\csrss.exe[900] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000149cb0270 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\lsass.exe[1012] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\lsm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[532] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000100070480 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000100070470 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000100070360 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000100070490 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000001000703d0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000100070310 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000001000703a0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000100070380 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000001000702d0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000001000702c0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0xffffffff88ca2290} .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000100070300 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000001000703b0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000100070440 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000001000703e0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000100070220 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000001000704a0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000100070390 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000001000702e0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000100070340 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000100070280 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000001000702a0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0xffffffff88ca1c90} .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000001000703c0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0xffffffff88ca1d90} .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000100070320 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000100070410 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000100070230 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000001000703f0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000001000701d0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000100070240 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000001000704b0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000001000704c0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000001000702f0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000100070350 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000100070290 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000001000702b0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000100070370 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000100070330 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000100070460 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000100070420 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000100070250 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0xffffffff88ca1190} .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000100070260 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0xffffffff88ca1190} .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000100070400 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000001000701e0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000100070200 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000001000701f0 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000100070430 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000100070450 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000100070210 .text C:\windows\System32\svchost.exe[1072] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000100070270 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000100070480 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000100070470 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000100070360 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000100070490 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000001000703d0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000100070310 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000001000703a0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000100070380 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000001000702d0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000001000702c0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0xffffffff88ca2290} .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000100070300 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000001000703b0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000100070440 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000001000703e0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000100070220 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000001000704a0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000100070390 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000001000702e0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000100070340 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000100070280 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000001000702a0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0xffffffff88ca1c90} .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000001000703c0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0xffffffff88ca1d90} .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000100070320 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000100070410 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000100070230 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000001000703f0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000001000701d0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000100070240 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000001000704b0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000001000704c0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000001000702f0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000100070350 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000100070290 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000001000702b0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000100070370 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000100070330 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000100070460 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000100070420 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000100070250 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0xffffffff88ca1190} .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000100070260 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0xffffffff88ca1190} .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000100070400 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000001000701e0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000100070200 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000001000701f0 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000100070430 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000100070450 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000100070210 .text C:\windows\System32\svchost.exe[1108] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000100070270 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[1132] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[1156] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[1480] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\Explorer.EXE[1520] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764e1401 2 bytes JMP 768db21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764e1419 2 bytes JMP 768db346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764e1431 2 bytes JMP 76958f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764e144a 2 bytes CALL 768b489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764e14dd 2 bytes JMP 76958822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764e14f5 2 bytes JMP 769589f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764e150d 2 bytes JMP 76958718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764e1525 2 bytes JMP 76958ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764e153d 2 bytes JMP 768cfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764e1555 2 bytes JMP 768d68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764e156d 2 bytes JMP 76958fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764e1585 2 bytes JMP 76958b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764e159d 2 bytes JMP 769586dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764e15b5 2 bytes JMP 768cfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764e15cd 2 bytes JMP 768db2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764e16b2 2 bytes JMP 76958ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe[1960] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764e16bd 2 bytes JMP 76958671 C:\windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3052] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768b8781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\System32\svchost.exe[3652] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000764e1401 2 bytes JMP 768db21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000764e1419 2 bytes JMP 768db346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000764e1431 2 bytes JMP 76958f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000764e144a 2 bytes CALL 768b489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000764e14dd 2 bytes JMP 76958822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000764e14f5 2 bytes JMP 769589f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000764e150d 2 bytes JMP 76958718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000764e1525 2 bytes JMP 76958ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000764e153d 2 bytes JMP 768cfca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000764e1555 2 bytes JMP 768d68ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000764e156d 2 bytes JMP 76958fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000764e1585 2 bytes JMP 76958b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000764e159d 2 bytes JMP 769586dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000764e15b5 2 bytes JMP 768cfd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000764e15cd 2 bytes JMP 768db2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000764e16b2 2 bytes JMP 76958ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3876] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000764e16bd 2 bytes JMP 76958671 C:\windows\syswow64\kernel32.dll .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[4772] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[4920] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\svchost.exe[3608] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\System32\svchost.exe[2948] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773cdc60 5 bytes JMP 0000000077530480 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773cdcb0 5 bytes JMP 0000000077530470 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773cde10 5 bytes JMP 0000000077530360 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773cde60 5 bytes JMP 0000000077530490 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773cde70 5 bytes JMP 00000000775303d0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773cdf20 5 bytes JMP 0000000077530310 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773cdf50 5 bytes JMP 00000000775303a0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773cdf70 5 bytes JMP 0000000077530380 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773cdfb0 5 bytes JMP 00000000775302d0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773ce030 1 byte JMP 00000000775302c0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00000000773ce032 3 bytes {JMP 0x162290} .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773ce050 5 bytes JMP 0000000077530300 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773ce090 5 bytes JMP 00000000775303b0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtResumeThread 00000000773ce0d0 5 bytes JMP 0000000077530440 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773ce0e0 5 bytes JMP 00000000775303e0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773ce240 5 bytes JMP 0000000077530220 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773ce400 5 bytes JMP 00000000775304a0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773ce430 5 bytes JMP 0000000077530390 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773ce510 5 bytes JMP 00000000775302e0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773ce520 5 bytes JMP 0000000077530340 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773ce580 5 bytes JMP 0000000077530280 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773ce610 1 byte JMP 00000000775302a0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 00000000773ce612 3 bytes {JMP 0x161c90} .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773ce630 1 byte JMP 00000000775303c0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 00000000773ce632 3 bytes {JMP 0x161d90} .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773ce640 5 bytes JMP 0000000077530320 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773ce6b0 5 bytes JMP 0000000077530410 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773ce6e0 5 bytes JMP 0000000077530230 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtGetContextThread 00000000773ce880 5 bytes JMP 00000000775303f0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773ce9a0 5 bytes JMP 00000000775301d0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773cea60 5 bytes JMP 0000000077530240 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773cea90 5 bytes JMP 00000000775304b0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773ceaa0 5 bytes JMP 00000000775304c0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773cead0 5 bytes JMP 00000000775302f0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773ceae0 5 bytes JMP 0000000077530350 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773ceb40 5 bytes JMP 0000000077530290 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773ceb90 5 bytes JMP 00000000775302b0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773cebc0 5 bytes JMP 0000000077530370 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773cebd0 5 bytes JMP 0000000077530330 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773ceec0 5 bytes JMP 0000000077530460 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtResumeProcess 00000000773cf020 5 bytes JMP 0000000077530420 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773cf0c0 1 byte JMP 0000000077530250 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00000000773cf0c2 3 bytes {JMP 0x161190} .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773cf0d0 1 byte JMP 0000000077530260 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00000000773cf0d2 3 bytes {JMP 0x161190} .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773cf0e0 5 bytes JMP 0000000077530400 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773cf2a0 5 bytes JMP 00000000775301e0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773cf2b0 5 bytes JMP 0000000077530200 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773cf320 5 bytes JMP 00000000775301f0 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773cf380 5 bytes JMP 0000000077530430 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773cf390 5 bytes JMP 0000000077530450 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773cf3a0 5 bytes JMP 0000000077530210 .text C:\windows\system32\wbem\wmiprvse.exe[6192] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773cf480 5 bytes JMP 0000000077530270 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\DatacardService\HWDeviceService64.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\HWDeviceService64.exe [3768](2010-11-16 13:38:16) 000000013fdd0000 Process C:\ProgramData\DatacardService\DCSHelper.exe (*** suspicious ***) @ C:\ProgramData\DatacardService\DCSHelper.exe [3820] (DataCardMonitor MFC Application/Huawei Technologies Co., Ltd.)(2010-11-16 13:37:30) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14725740322442280@SetupOperations ?????_??Avivo(TM)????????????????????????????????????????????5??0???? ?????????????????????0????????????????t???????????????? ???????????????????+?0???????????????????y????????????? ?????????????????????0?????????????????????g??? ??????????????????????????????????????????????????P???0?@??????????????????????? ??????? ?????? ????????????????????????????$??????????V??? ????????????????????????????,?D??? ???????????????????? D?????????????????%SystemRoot%\System32\ssdpsrv.dll?????????????????????????????????????P????????????e????@%systemroot%\system32\ssdpsrv.dll,-100???????????????????h?????%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation?????HTTP??????P????????????n????????????????????????@%systemroot%\system32\ssdpsrv.dll,-101?????? 4?????????????????NT AUTHORITY\LocalService???????????????????????????????????????????????t??????????????????????? ????????????????????????????e????,???????????????????????????????????????b?????????????????????SeChangeNotifyPrivilege?SeCreateGlobalPrivilege???? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14725741491202280@SetupOperations ????????????.NTAMD64????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ?????8??9??HJ???????????w???????w???w???w???????????????9???????w???????w???????????????w???????=?????????????????? ??????????????????? ??????????? ?????????????????v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Mozilla Firefox\firefox.exe|Name=Firefox (C:\Program Files (x86)\Mozilla Firefox)|?va??? ?????????????????????,??????????S?????6a???????????????????_?????s?`??chello.pl????????????,??????????????????????????????? ?????????????????????,????????P?,?????????\SystemRoot\system32\drivers\aswKbd.sys?ys??????avast! keyboard filter driver (aswKbd)??????FSFilter Security Enhancer?s????? ?????????????????????,????????????&????????????????????????????????y??sv??aswSP???????1????????????e??????????? ?????????????????????,??????????^?????????????????????????ABBYY FineReader 12?UE??? ?????????????????????,??????????-???? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14725740322442280@SetupOperations ????????? ????????????????`??????????????????????u0??????????????????????????????????????????????????????????????????????????????????????????????????????????????eh???`???????????????????8?chello.pl? ??????????e??To(?? ??n????????????(???8???????????????0???????????????????????x??????????????????????uH???@?45.32.235.205 103.195.102.7?????H???????????????????????????????????????aswHdsKe??(?255.255.255.0?????p?????????????????????????????????????????????????????5.???m?o?o?z?y?y2.???>8?????????????????????????ri0??????????S?????????tteh???????????????????????????0???(??????????????????????????u??????????????inX?{0c109301-a289-5097-b532-d0b349121286}??:gX?{eec5ad98-8080-425f-922a-dabf3de3f69a}?ll.8?????????????????????????????????????????????????????????????????????????????????????????????????????????????????3?????????????8?3???????????????????????????{eec5ad98-8080-425f-922a-dabf3de3f69a}\0021?ilX?Kingston?f,%microsoftmfg%;Microsoft?VE???E??v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C: Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14725741491202280@SetupOperations ????????? ???????????????????????????? ??????????????????????????????????????????????????????????????????S???????????????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????a\??? ???????????????????????????? ??? ?????????????????????4????????????????????????????????????o????????????????(??i?k?k?n???k??????0??:?n?n?n??????????????0?? ???????z???????????????????????????????????????????????????????????????5????????????(Po??czenie lokalne 2?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????RRemote NDIS based Internet Sharing Device????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----