GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-01 13:28:30 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e WDC_WD75 rev.01.0 698,64GB Running: fsibxr39.exe; Driver: C:\Users\Pc\AppData\Local\Temp\uglcraoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004cf0c34 12 bytes {MOV RAX, 0xfffffa80052922a0; JMP RAX} ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000000120460 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000000120450 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000000120370 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000000120470 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000000001203e0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000000120320 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 00000000001203b0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000000120390 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000000001202e0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000000001202d0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000000120310 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 00000000001203c0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000000001203f0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000000120230 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff893ce890} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000000120480 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 00000000001203a0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000000001202f0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000000120350 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000000120290 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000000001202b0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000000001203d0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000000120330 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff893ce590} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000000120410 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000000120240 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000000001201e0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000000120250 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff893ce090} .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000000120490 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 00000000001204a0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000000120300 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000000120360 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000000001202a0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000000001202c0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000000120380 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000000120340 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000000120440 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000000120260 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000000120270 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000000120400 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000000001201f0 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000000120210 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000000120200 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000000120420 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000000120430 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000000120220 .text C:\Windows\system32\csrss.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000000120280 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\wininit.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000000120460 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000000120450 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000000120370 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000000120470 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000000001203e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000000120320 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 00000000001203b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000000120390 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000000001202e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000000001202d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000000120310 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 00000000001203c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000000001203f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000000120230 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff893ce890} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000000120480 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 00000000001203a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000000001202f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000000120350 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000000120290 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000000001202b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000000001203d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000000120330 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff893ce590} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000000120410 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000000120240 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000000001201e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000000120250 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff893ce090} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000000120490 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 00000000001204a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000000120300 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000000120360 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000000001202a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000000001202c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000000120380 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000000120340 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000000120440 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000000120260 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000000120270 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000000120400 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000000001201f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000000120210 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000000120200 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000000120420 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000000120430 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000000120220 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000000120280 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000000070230 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff8931e890} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000000070330 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff8931e590} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff8931e090} .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000000070380 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000000070260 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000000070270 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsass.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000000070450 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000000070370 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000000070320 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000000070230 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff8931e890} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000000070350 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000000070330 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff8931e590} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000000070240 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff8931e090} .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000000070300 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000000070360 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000000070380 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000000070340 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000000070440 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000000070260 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000000070270 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000000070210 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000000070200 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000000070220 .text C:\Windows\system32\lsm.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000000070280 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\System32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\System32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\nvvsvc.exe[1160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[1356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\System32\spoolsv.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\taskeng.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\SysWOW64\PnkBstrA.exe[1800] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000734b1a22 2 bytes [4B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1800] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000734b1ad0 2 bytes [4B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1800] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000734b1b08 2 bytes [4B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1800] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000734b1bba 2 bytes [4B, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1800] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000734b1bda 2 bytes [4B, 73] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\CyberGhost 5\Service.exe[440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076eb1465 2 bytes {JMP 0x78} .text C:\Program Files\CyberGhost 5\Service.exe[440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076eb14bb 2 bytes {JMP 0x78} .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\SearchIndexer.exe[2072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000000070460 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000000070450 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000000070370 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000000070470 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000000070320 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000000070230 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff8931e890} .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000000070480 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000000070350 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000000070330 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff8931e590} .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000000070410 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000000070240 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000000070250 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff8931e090} .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000000070300 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000000070360 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000000070380 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000000070340 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000000070440 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000000070260 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000000070270 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000000070400 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000000070210 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000000070200 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000000070430 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000000070220 .text C:\Windows\system32\wbem\wmiprvse.exe[2412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000000070280 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\AVAST Software\Avast\ng\ngservice.exe[2776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\taskhost.exe[2672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\Dwm.exe[3140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\Explorer.EXE[3172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3732] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074e687c9 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076eb1465 2 bytes {JMP 0x78} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076eb14bb 2 bytes {JMP 0x78} .text ... * 2 .text C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe[3784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076eb1465 2 bytes {JMP 0x78} .text C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe[3784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076eb14bb 2 bytes {JMP 0x78} .text ... * 2 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[2864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\System32\svchost.exe[3580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076eb1465 2 bytes {JMP 0x78} .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076eb14bb 2 bytes {JMP 0x78} .text ... * 2 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0450 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d51570 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d516d0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03d0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0490 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb04a0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d52320 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\AUDIODG.EXE[4844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001089f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001089cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800108a69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800108aa98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800108a8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef8c2741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef8c25f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef8c25674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef8c25e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef8c27f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef8c26a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef8c26ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef8c27b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef8c27ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef8c278b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef8c24fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef8c25d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1888] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef8c27584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003caf2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003caf2c0 Device \Driver\ayg0q1z3 \Device\Scsi\ayg0q1z31 fffffa80054d82c0 Device \Driver\ayg0q1z3 \Device\Scsi\ayg0q1z31Port4Path0Target0Lun0 fffffa80054d82c0 Device \FileSystem\Ntfs \Ntfs fffffa8003d782c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80052dd2c0 Device \Driver\nvstor64 \Device\RaidPort0 fffffa8003cb32c0 Device \Driver\cdrom \Device\CdRom0 fffffa800506e2c0 Device \Driver\nvstor64 \Device\RaidPort1 fffffa8003cb32c0 Device \Driver\cdrom \Device\CdRom1 fffffa800506e2c0 Device \Driver\nvstor64 \Device\0000006f fffffa8003cb32c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{076679A5-D520-4A04-B110-687C6B46D5FD} fffffa80051b32c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa80052842c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1479CA50-6402-4B28-BF27-F3CCD31D0EEF} fffffa80051b32c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80052dd2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80051b32c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003caf2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa80052842c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003caf2c0 Device \Driver\nvstor64 \Device\ScsiPort2 fffffa8003cb32c0 Device \Driver\nvstor64 \Device\ScsiPort3 fffffa8003cb32c0 Device \Driver\ayg0q1z3 \Device\ScsiPort4 fffffa80054d82c0 Device \Driver\nvstor64 \Device\0000006e fffffa8003cb32c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003cb32c0]<< sptd.sys storport.sys hal.dll nvstor64.sys fffffa8003cb32c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004d74060] fffffa8004d74060 Trace 3 CLASSPNP.SYS[fffff88001b6a43f] -> nt!IofCallDriver -> [0xfffffa8003dfee40] fffffa8003dfee40 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\0000006e[0xfffffa8003df3060] fffffa8003df3060 Trace \Driver\nvstor64[0xfffffa8003df5e40] -> IRP_MJ_CREATE -> 0xfffffa8003cb32c0 fffffa8003cb32c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\ayg0q1z3.SYS fffff88004f51000-fffff88004fa0000 (323584 bytes) ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x6B 0x84 0x1D ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x04 0x89 0xDD ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x54 0x47 0x19 0x95 ... ---- Files - GMER 2.2 ---- File C:\Users\Pc\AppData\Local\Temp\RDR3561.tmp 0 bytes File C:\Users\Pc\AppData\Local\Temp\RDR3561.tmp\empty.txt 0 bytes ---- EOF - GMER 2.2 ----