GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-26 19:41:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DL002-9TT153 rev.CC32 931,51GB Running: hbhuckrj.exe; Driver: C:\Users\Maciej\AppData\Local\Temp\kwrdrpog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000105b50 8 bytes [00, 45, AC, 06, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000135900 7 bytes [40, 4C, F3, FF, 01, 56, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000135908 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000049cb0480 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000049cb0470 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000049cb0360 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000049cb0490 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000049cb03d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000049cb0310 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000049cb03a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000049cb0380 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffffd2ef4290} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000049cb02d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000049cb02c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000049cb0300 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000049cb03b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000049cb0440 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000049cb03e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000049cb0220 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000049cb04a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000049cb0390 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000049cb02e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000049cb0340 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000049cb0280 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000049cb02a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000049cb03c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000049cb0320 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000049cb0410 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000049cb0230 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000049cb03f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000049cb01d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000049cb0240 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000049cb04b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000049cb04c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000049cb02f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000049cb0350 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000049cb0290 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000049cb02b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000049cb0370 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000049cb0330 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000049cb0460 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000049cb0420 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000049cb0250 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000049cb0260 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000049cb0400 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000049cb01e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000049cb0200 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000049cb01f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000049cb0430 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000049cb0450 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000049cb0210 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000049cb0270 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000049cb0480 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000049cb0470 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000049cb0360 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000049cb0490 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000049cb03d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000049cb0310 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000049cb03a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000049cb0380 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffffd2ef4290} .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000049cb02d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000049cb02c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000049cb0300 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000049cb03b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000049cb0440 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000049cb03e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000049cb0220 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000049cb04a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000049cb0390 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000049cb02e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000049cb0340 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000049cb0280 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000049cb02a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000049cb03c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000049cb0320 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000049cb0410 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000049cb0230 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000049cb03f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000049cb01d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000049cb0240 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000049cb04b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000049cb04c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000049cb02f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000049cb0350 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000049cb0290 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000049cb02b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000049cb0370 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000049cb0330 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000049cb0460 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000049cb0420 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000049cb0250 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000049cb0260 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000049cb0400 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000049cb01e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000049cb0200 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000049cb01f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000049cb0430 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000049cb0450 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000049cb0210 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000049cb0270 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCService.exe[836] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 0000000075133491 4 bytes {CALL 0xffffffff8b32b434} .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 0000000075133491 4 bytes {CALL 0xffffffff8b333cd0} .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000000060480 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000000060470 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000000060360 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000000060490 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 00000000000603d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000000060310 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 00000000000603a0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000000060380 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffff892a4290} .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 00000000000602d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 00000000000602c0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000000060300 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 00000000000603b0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000000060440 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 00000000000603e0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000000060220 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 00000000000604a0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000000060390 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 00000000000602e0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000000060340 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000000060280 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 00000000000602a0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 00000000000603c0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000000060320 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000000060410 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000000060230 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 00000000000603f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 00000000000601d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000000060240 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 00000000000604b0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 00000000000604c0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 00000000000602f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000000060350 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000000060290 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 00000000000602b0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000000060370 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000000060330 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000000060460 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000000060420 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000000060250 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000000060260 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000000060400 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 00000000000601e0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000000060200 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 00000000000601f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000000060430 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000000060450 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000000060210 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000000060270 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffff892b4290} .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffff892b4290} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000000070270 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000748b2bdc 5 bytes JMP 000000006ae87d1d .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000748b2e7e 5 bytes JMP 000000006ae87d87 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000747317fa 2 bytes CALL 751311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074731860 2 bytes CALL 751311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074731942 2 bytes JMP 75396da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007473194d 2 bytes JMP 7539e8de C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3804] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075138769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833617807412280@SetupOperations ?????????????????a??\L???????????V??????t???\??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys?lpe???????????e???e??????????????????????? ???????n?????????????,????????:?????????????e&Re????&????????????e????MotoSwitch Service?bRe??Motorola USB Networking Driver Service?203??????????????????of??Motorola USB Dev Driver?.i??????????????????????HID_Raw_Inst?:??????????????6-21-2006???? ???????n?????????????,????????N??? ??????-bf???????????v???s????:???????????h??????????????????d???????e???????????????????T???d??????JL??? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????????????????????????????????0??? B??????????????????Microsoft???? ???????n?????????????,????????P???????????????????????????Unknown Device?Dat??????????????????????????????????????? ?????????????????????0????????????&????????????????????v????X?????????????????????ef????????????????? ?*?*?*?*?*?:?*????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833618874302280@SetupOperations ????????Mass Storage Device USB Device???????????????????????n???????????|???????????????????f??ar??????????????????? ???@???r??????di???????????t??il???????????k???????????e??????Wolumin uniwersalny?????????????????????????? ??D?????|????????g??????:????????????e???????????????????s????generic_hid_device?las??????????????????????????????????????tnagqyqb? ??.NTAMD64????LegacyDriver????@machine.inf,%gendev_mfg%;(Standardowe urz?dzenia systemowe)????{8ECC055D-047F-11D1-A537-0000F8753ED1}?1-2????????F??????3???????2??? l??????????????????????????????????????k??????????? ????????????????N????????????:?;????H??????i??ow??????????????????@disk.inf,%disk_devdesc%;Stacja dysk?w?dys????p??????a?goc???????????????????y???m???e???z?|??????????????N??????s????D zo??????????????????????????????????????? ??????????????????????????????P???????????{71a27cdd-812a-11d0-bec7-08002be2092f}\0014?ig??????????????????? ???????x?????????????????????????s??????????&??????????????????????????????????j???????&??? ????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833617807412280@SetupOperations ?????????????d??@nettun.inf,%teredo.displayname%;Karta tunelowania Teredo firmy Microsoft???@volume.inf,%msft%;Microsoft?????h?i?i?i?????i???????n??????????????????????????ESProtectionDriver?s?d???,?j?k?k?m?m???m??????I?????????????e???WinRing0_1_2_0??????WINUSB.INF????????N??????T?????Dov??????? x??????o?????er ??????????????????????{8ECC055D-047F-11D1-A537-0000F8753ED1}???9???j?k?l?k?l?l?k?k?k???k???????????????k???????????????????????e???j??????????????????????????????????@%SystemRoot%\system32\drivers\http.sys,-1???0(?MBAMWebProtection?????N????????????D????? "??????v?????am\??????????????????????????@volsnap.inf,%msft%;Microsoft????????????????d????$?????????p???r???@volsnap.inf,%msft%;Microsoft????????????s??????To??@msmouse.inf,%hid.mousedevice%;Mysz zgodna z HID????? ???????o?????Fil??{8ECC055D-047F-11D1-A537-0000F8753ED1}??????system32\DRIVERS\WUDFRd.sys?????{00000000-0000-0000-FFFF-FFFFFFFFFFFF}??????6.1.7601.18328??????Urz?dzenie MTP USB?rd ???????+???,??????????@volsnap.inf,%msft%;Microsoft????p? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833618874302280@SetupOperations ?????????????????k???????k??@disk.inf,%disk_devdesc%;Stacja dysk?w?le\??? ???????/????????????????&???????1???????????2003??????????????????? ???????n??????????????????????????/????????????????????????0??? ????????????????????????"?????????????????????Stacja dysk?w????????????V??.l??disk.inf:disk_device.NTamd64:disk_install:6.1.7600.16385:gendisk????\??\USB#VID_0C76&PID_0005#5&1dda42a3&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}?????STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MASS_STORAGE&REV_1.00#6&170D51C6&0#??????N??????D?????D????usb\class_08&subclass_06&prot_50?o??????????????????????????????????????@disk.inf,%disk_devdesc%;Stacja dysk?w?ice??????????????????Linux ?f,%microsoftmfg%;Microsoft?st??????????????ltomdako?????????????????????m??6.1.7600.16385?dow????????????????*??????v???????????????????????s??m3??cl???????n???????????????????????????????????H???????????????????????????????????????????????????????????????4??5b??wpdmtp.inf??????MBAMProtection???d???????????????????????????????????|? ---- EOF - GMER 2.2 ---- GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-26 19:41:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DL002-9TT153 rev.CC32 931,51GB Running: hbhuckrj.exe; Driver: C:\Users\Maciej\AppData\Local\Temp\kwrdrpog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 608 fffff96000105b50 8 bytes [00, 45, AC, 06, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000135900 7 bytes [40, 4C, F3, FF, 01, 56, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000135908 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000049cb0480 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000049cb0470 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000049cb0360 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000049cb0490 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000049cb03d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000049cb0310 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000049cb03a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000049cb0380 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffffd2ef4290} .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000049cb02d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000049cb02c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000049cb0300 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000049cb03b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000049cb0440 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000049cb03e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000049cb0220 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000049cb04a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000049cb0390 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000049cb02e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000049cb0340 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000049cb0280 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000049cb02a0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000049cb03c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000049cb0320 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000049cb0410 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000049cb0230 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000049cb03f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000049cb01d0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000049cb0240 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000049cb04b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000049cb04c0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000049cb02f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000049cb0350 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000049cb0290 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000049cb02b0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000049cb0370 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000049cb0330 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000049cb0460 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000049cb0420 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000049cb0250 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000049cb0260 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000049cb0400 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000049cb01e0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000049cb0200 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000049cb01f0 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000049cb0430 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000049cb0450 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000049cb0210 .text C:\Windows\system32\csrss.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000049cb0270 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000049cb0480 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000049cb0470 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000049cb0360 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000049cb0490 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000049cb03d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000049cb0310 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000049cb03a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000049cb0380 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffffd2ef4290} .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000049cb02d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000049cb02c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000049cb0300 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000049cb03b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000049cb0440 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000049cb03e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000049cb0220 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000049cb04a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000049cb0390 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000049cb02e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000049cb0340 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000049cb0280 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000049cb02a0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000049cb03c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000049cb0320 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000049cb0410 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000049cb0230 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000049cb03f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000049cb01d0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000049cb0240 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000049cb04b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000049cb04c0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000049cb02f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000049cb0350 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000049cb0290 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000049cb02b0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000049cb0370 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000049cb0330 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000049cb0460 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000049cb0420 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000049cb0250 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000049cb0260 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000049cb0400 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000049cb01e0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000049cb0200 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000049cb01f0 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000049cb0430 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000049cb0450 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000049cb0210 .text C:\Windows\system32\csrss.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000049cb0270 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsass.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsm.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ASCService.exe[836] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 0000000075133491 4 bytes {CALL 0xffffffff8b32b434} .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 0000000075133491 4 bytes {CALL 0xffffffff8b333cd0} .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\ascavsvc.exe[900] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000000060480 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000000060470 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000000060360 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000000060490 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 00000000000603d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000000060310 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 00000000000603a0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000000060380 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffff892a4290} .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 00000000000602d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 00000000000602c0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000000060300 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 00000000000603b0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000000060440 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 00000000000603e0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000000060220 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 00000000000604a0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000000060390 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 00000000000602e0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000000060340 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000000060280 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 00000000000602a0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 00000000000603c0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000000060320 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000000060410 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000000060230 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 00000000000603f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 00000000000601d0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000000060240 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 00000000000604b0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 00000000000604c0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 00000000000602f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000000060350 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000000060290 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 00000000000602b0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000000060370 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000000060330 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000000060460 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000000060420 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000000060250 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000000060260 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000000060400 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 00000000000601e0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000000060200 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 00000000000601f0 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000000060430 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000000060450 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000000060210 .text C:\Windows\system32\taskhost.exe[1648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000000060270 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\Dwm.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\Explorer.EXE[1836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffff892b4290} .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[2012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0xffffffff892b4290} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000000070270 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe[2500] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 00000000748b2bdc 5 bytes JMP 000000006ae87d1d .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 00000000748b2e7e 5 bytes JMP 000000006ae87d87 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000747317fa 2 bytes CALL 751311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074731860 2 bytes CALL 751311a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074731942 2 bytes JMP 75396da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007473194d 2 bytes JMP 7539e8de C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3680] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3804] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075138769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[3712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dbbde0 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dbbe30 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dbbf90 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dbbfe0 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dbbff0 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dbc0a0 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dbc0d0 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dbc0f0 1 byte JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076dbc0f2 3 bytes {JMP 0x164290} .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dbc130 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dbc1b0 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dbc1d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dbc210 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076dbc250 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dbc260 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dbc3c0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dbc580 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dbc5b0 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dbc690 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dbc6a0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dbc700 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dbc790 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dbc7b0 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dbc7c0 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dbc830 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dbc860 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076dbca00 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dbcb20 5 bytes JMP 0000000076f201d0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dbcbe0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dbcc10 5 bytes JMP 0000000076f204b0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dbcc20 5 bytes JMP 0000000076f204c0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dbcc50 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dbcc60 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dbccc0 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dbcd10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dbcd40 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dbcd50 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dbd040 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076dbd1a0 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dbd240 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dbd250 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dbd260 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dbd420 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dbd430 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dbd4a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dbd500 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dbd510 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dbd520 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[5380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dbd600 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000767c1401 2 bytes JMP 7515b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000767c1419 2 bytes JMP 7515b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000767c1431 2 bytes JMP 751d9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000767c144a 2 bytes CALL 75134885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000767c14dd 2 bytes JMP 751d8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000767c14f5 2 bytes JMP 751d8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000767c150d 2 bytes JMP 751d8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000767c1525 2 bytes JMP 751d8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000767c153d 2 bytes JMP 7514fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000767c1555 2 bytes JMP 75156907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000767c156d 2 bytes JMP 751d9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000767c1585 2 bytes JMP 751d8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000767c159d 2 bytes JMP 751d88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000767c15b5 2 bytes JMP 7514fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000767c15cd 2 bytes JMP 7515b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000767c16b2 2 bytes JMP 751d90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe[5504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000767c16bd 2 bytes JMP 751d8891 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833617807412280@SetupOperations ?????????????????a??\L???????????V??????t???\??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys?lpe???????????e???e??????????????????????? ???????n?????????????,????????:?????????????e&Re????&????????????e????MotoSwitch Service?bRe??Motorola USB Networking Driver Service?203??????????????????of??Motorola USB Dev Driver?.i??????????????????????HID_Raw_Inst?:??????????????6-21-2006???? ???????n?????????????,????????N??? ??????-bf???????????v???s????:???????????h??????????????????d???????e???????????????????T???d??????JL??? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????????????????????????????????0??? B??????????????????Microsoft???? ???????n?????????????,????????P???????????????????????????Unknown Device?Dat??????????????????????????????????????? ?????????????????????0????????????&????????????????????v????X?????????????????????ef????????????????? ?*?*?*?*?*?:?*????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14833618874302280@SetupOperations ????????Mass Storage Device USB Device???????????????????????n???????????|???????????????????f??ar??????????????????? ???@???r??????di???????????t??il???????????k???????????e??????Wolumin uniwersalny?????????????????????????? ??D?????|????????g??????:????????????e???????????????????s????generic_hid_device?las??????????????????????????????????????tnagqyqb? ??.NTAMD64????LegacyDriver????@machine.inf,%gendev_mfg%;(Standardowe urz?dzenia systemowe)????{8ECC055D-047F-11D1-A537-0000F8753ED1}?1-2????????F??????3???????2??? l??????????????????????????????????????k??????????? ????????????????N????????????:?;????H??????i??ow??????????????????@disk.inf,%disk_devdesc%;Stacja dysk?w?dys????p??????a?goc???????????????????y???m???e???z?|??????????????N??????s????D zo??????????????????????????????????????? ??????????????????????????????P???????????{71a27cdd-812a-11d0-bec7-08002be2092f}\0014?ig??????????????????? ???????x?????????????????????????s??????????&??????????????????????????????????j???????&??? ????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833617807412280@SetupOperations ?????????????d??@nettun.inf,%teredo.displayname%;Karta tunelowania Teredo firmy Microsoft???@volume.inf,%msft%;Microsoft?????h?i?i?i?????i???????n??????????????????????????ESProtectionDriver?s?d???,?j?k?k?m?m???m??????I?????????????e???WinRing0_1_2_0??????WINUSB.INF????????N??????T?????Dov??????? x??????o?????er ??????????????????????{8ECC055D-047F-11D1-A537-0000F8753ED1}???9???j?k?l?k?l?l?k?k?k???k???????????????k???????????????????????e???j??????????????????????????????????@%SystemRoot%\system32\drivers\http.sys,-1???0(?MBAMWebProtection?????N????????????D????? "??????v?????am\??????????????????????????@volsnap.inf,%msft%;Microsoft????????????????d????$?????????p???r???@volsnap.inf,%msft%;Microsoft????????????s??????To??@msmouse.inf,%hid.mousedevice%;Mysz zgodna z HID????? ???????o?????Fil??{8ECC055D-047F-11D1-A537-0000F8753ED1}??????system32\DRIVERS\WUDFRd.sys?????{00000000-0000-0000-FFFF-FFFFFFFFFFFF}??????6.1.7601.18328??????Urz?dzenie MTP USB?rd ???????+???,??????????@volsnap.inf,%msft%;Microsoft????p? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833618874302280@SetupOperations ?????????????????k???????k??@disk.inf,%disk_devdesc%;Stacja dysk?w?le\??? ???????/????????????????&???????1???????????2003??????????????????? ???????n??????????????????????????/????????????????????????0??? ????????????????????????"?????????????????????Stacja dysk?w????????????V??.l??disk.inf:disk_device.NTamd64:disk_install:6.1.7600.16385:gendisk????\??\USB#VID_0C76&PID_0005#5&1dda42a3&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}?????STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MASS_STORAGE&REV_1.00#6&170D51C6&0#??????N??????D?????D????usb\class_08&subclass_06&prot_50?o??????????????????????????????????????@disk.inf,%disk_devdesc%;Stacja dysk?w?ice??????????????????Linux ?f,%microsoftmfg%;Microsoft?st??????????????ltomdako?????????????????????m??6.1.7600.16385?dow????????????????*??????v???????????????????????s??m3??cl???????n???????????????????????????????????H???????????????????????????????????????????????????????????????4??5b??wpdmtp.inf??????MBAMProtection???d???????????????????????????????????|?