GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-24 22:11:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000070 WDC_WD75 rev.01.0 698,64GB Running: fsibxr39.exe; Driver: C:\Users\Pc\AppData\Local\Temp\uglcraoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880042a0c34 12 bytes {MOV RAX, 0xfffffa80050fb2a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000000070450 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000000070370 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000000070320 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000000070230 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0xffffffff8935e890} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000000070350 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000000070330 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0xffffffff8935e590} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000000070240 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0xffffffff8935e090} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000000070300 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000000070360 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000000070380 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000000070340 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000000070440 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000000070260 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000000070270 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000000070210 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000000070200 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000000070220 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\System32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\System32\svchost.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\wbem\wmiprvse.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\SearchIndexer.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\taskhost.exe[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\Dwm.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\Explorer.EXE[3140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3700] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075da87c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\svchost.exe[4028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d113c0 5 bytes JMP 0000000076e70460 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d11410 5 bytes JMP 0000000076e70450 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d11570 5 bytes JMP 0000000076e70370 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d115c0 5 bytes JMP 0000000076e70470 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d115d0 5 bytes JMP 0000000076e703e0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d11680 5 bytes JMP 0000000076e70320 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d116b0 5 bytes JMP 0000000076e703b0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d116d0 5 bytes JMP 0000000076e70390 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d11710 5 bytes JMP 0000000076e702e0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d11790 5 bytes JMP 0000000076e702d0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d117b0 5 bytes JMP 0000000076e70310 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d117f0 5 bytes JMP 0000000076e703c0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d11840 5 bytes JMP 0000000076e703f0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d119a0 1 byte JMP 0000000076e70230 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d11b60 5 bytes JMP 0000000076e70480 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d11b90 5 bytes JMP 0000000076e703a0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d11c70 5 bytes JMP 0000000076e702f0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d11c80 5 bytes JMP 0000000076e70350 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d11ce0 5 bytes JMP 0000000076e70290 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d11d70 5 bytes JMP 0000000076e702b0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d11d90 5 bytes JMP 0000000076e703d0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d11da0 1 byte JMP 0000000076e70330 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d11e10 5 bytes JMP 0000000076e70410 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d11e40 5 bytes JMP 0000000076e70240 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d12100 5 bytes JMP 0000000076e701e0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d121c0 1 byte JMP 0000000076e70250 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d121f0 5 bytes JMP 0000000076e70490 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d12200 5 bytes JMP 0000000076e704a0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d12230 5 bytes JMP 0000000076e70300 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d12240 5 bytes JMP 0000000076e70360 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d122a0 5 bytes JMP 0000000076e702a0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d122f0 5 bytes JMP 0000000076e702c0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d12320 5 bytes JMP 0000000076e70380 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d12330 5 bytes JMP 0000000076e70340 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d12620 5 bytes JMP 0000000076e70440 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d12820 5 bytes JMP 0000000076e70260 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d12830 5 bytes JMP 0000000076e70270 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d12840 5 bytes JMP 0000000076e70400 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d12a00 5 bytes JMP 0000000076e701f0 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d12a10 5 bytes JMP 0000000076e70210 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d12a80 5 bytes JMP 0000000076e70200 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d12ae0 5 bytes JMP 0000000076e70420 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d12af0 5 bytes JMP 0000000076e70430 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d12b00 5 bytes JMP 0000000076e70220 .text C:\Windows\system32\taskhost.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d12be0 5 bytes JMP 0000000076e70280 .text D:\GameforgeLive\gfl_client.exe[348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076531465 2 bytes [53, 76] .text D:\GameforgeLive\gfl_client.exe[348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765314bb 2 bytes [53, 76] .text ... * 2 .text D:\GameforgeLive\Games\POL_pol\4Story\PrePatch.exe[6140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076531465 2 bytes [53, 76] .text D:\GameforgeLive\Games\POL_pol\4Story\PrePatch.exe[6140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765314bb 2 bytes [53, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001094f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001094cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109569c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001095a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010958f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef8bc741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8bc5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8bc5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8bc5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8bc7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8bc6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8bc6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8bc7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8bc7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef8bc78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8bc4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8bc5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8bc7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003caf2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003caf2c0 Device \Driver\ai6axgu3 \Device\Scsi\ai6axgu31Port4Path0Target0Lun0 fffffa800543a2c0 Device \Driver\ai6axgu3 \Device\Scsi\ai6axgu31 fffffa800543a2c0 Device \FileSystem\Ntfs \Ntfs fffffa8003d7f2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052a62c0 Device \Driver\nvstor64 \Device\00000070 fffffa8003cb32c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa8003cb32c0 Device \Driver\cdrom \Device\CdRom0 fffffa80050582c0 Device \Driver\nvstor64 \Device\RaidPort1 fffffa8003cb32c0 Device \Driver\cdrom \Device\CdRom1 fffffa80050582c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{076679A5-D520-4A04-B110-687C6B46D5FD} fffffa800518c2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80052772c0 Device \Driver\nvstor64 \Device\00000071 fffffa8003cb32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1479CA50-6402-4B28-BF27-F3CCD31D0EEF} fffffa800518c2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80052a62c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800518c2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003caf2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80052772c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003caf2c0 Device \Driver\nvstor64 \Device\ScsiPort2 fffffa8003cb32c0 Device \Driver\nvstor64 \Device\ScsiPort3 fffffa8003cb32c0 Device \Driver\ai6axgu3 \Device\ScsiPort4 fffffa800543a2c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003cb32c0]<< sptd.sys storport.sys hal.dll nvstor64.sys fffffa8003cb32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d75060] fffffa8004d75060 Trace 3 CLASSPNP.SYS[fffff88001b7643f] -> nt!IofCallDriver -> [0xfffffa8003e05e40] fffffa8003e05e40 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\00000070[0xfffffa8003df2060] fffffa8003df2060 Trace \Driver\nvstor64[0xfffffa8003df6360] -> IRP_MJ_CREATE -> 0xfffffa8003cb32c0 fffffa8003cb32c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\ai6axgu3.SYS fffff8800f200000-fffff8800f24f000 (323584 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\AUDIODG.EXE [3616:1896] 0000000000030000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6080] 0000000000040000 Thread C:\Windows\system32\AUDIODG.EXE [3616:5380] 0000000000230000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6368] 0000000000240000 Thread C:\Windows\system32\AUDIODG.EXE [3616:5644] 0000000000250000 Thread C:\Windows\system32\AUDIODG.EXE [3616:3620] 0000000000260000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6792] 0000000000270000 Thread C:\Windows\system32\AUDIODG.EXE [3616:4964] 0000000000280000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6708] 0000000000290000 Thread C:\Windows\system32\AUDIODG.EXE [3616:5256] 00000000002a0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:2104] 00000000002b0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6932] 00000000002c0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:3756] 00000000009c0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6032] 00000000009d0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:524] 00000000009e0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:5732] 00000000009f0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:5536] 0000000000a00000 Thread C:\Windows\system32\AUDIODG.EXE [3616:5572] 0000000000a10000 Thread C:\Windows\system32\AUDIODG.EXE [3616:2760] 0000000000a20000 Thread C:\Windows\system32\AUDIODG.EXE [3616:4932] 0000000000a30000 Thread C:\Windows\system32\AUDIODG.EXE [3616:4444] 0000000000a40000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6908] 0000000000a50000 Thread C:\Windows\system32\AUDIODG.EXE [3616:3096] 0000000000af0000 Thread C:\Windows\system32\AUDIODG.EXE [3616:6484] 0000000000b80000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x6B 0x84 0x1D ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x04 0x89 0xDD ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x54 0x47 0x19 0x95 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Games\Battlefield 3\x2122\Core\EAProxyInstaller.exe 1 ---- EOF - GMER 2.2 ----