GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-26 19:03:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5 ST500DM002-1BD142 rev.KC45 465.76GB Running: hdiucg78.exe; Driver: C:\Users\Nowky\AppData\Local\Temp\kgliifoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000100070250 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\system32\lsass.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\System32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\System32\svchost.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 000000014a160460 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 000000014a160450 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 000000014a160370 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 000000014a160470 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 000000014a1603e0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 000000014a160320 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 000000014a1603b0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 000000014a160390 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 000000014a1602e0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 000000014a1602d0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 000000014a160310 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 000000014a1603c0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 000000014a1603f0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 000000014a160230 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 000000014a160480 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 000000014a1603a0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 000000014a1602f0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 000000014a160350 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 000000014a160290 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 000000014a1602b0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 000000014a1603d0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 000000014a160330 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 000000014a160410 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 000000014a160240 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 000000014a1601e0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 000000014a160250 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 000000014a160490 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 000000014a1604a0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 000000014a160300 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 000000014a160360 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 000000014a1602a0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 000000014a1602c0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 000000014a160380 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 000000014a160340 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 000000014a160440 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 000000014a160260 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 000000014a160270 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 000000014a160400 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 000000014a1601f0 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 000000014a160210 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 000000014a160200 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 000000014a160420 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 000000014a160430 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 000000014a160220 .text C:\Windows\system32\csrss.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 000000014a160280 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\Explorer.EXE[4524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3980] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076768769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d7dc80 5 bytes JMP 0000000076ee0460 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d7dcd0 5 bytes JMP 0000000076ee0450 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d7de30 5 bytes JMP 0000000076ee0370 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d7de80 5 bytes JMP 0000000076ee0470 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d7de90 5 bytes JMP 0000000076ee03e0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d7df40 5 bytes JMP 0000000076ee0320 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d7df70 5 bytes JMP 0000000076ee03b0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d7df90 5 bytes JMP 0000000076ee0390 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d7dfd0 5 bytes JMP 0000000076ee02e0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d7e050 5 bytes JMP 0000000076ee02d0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d7e070 5 bytes JMP 0000000076ee0310 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d7e0b0 5 bytes JMP 0000000076ee03c0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d7e100 5 bytes JMP 0000000076ee03f0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d7e260 5 bytes JMP 0000000076ee0230 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d7e420 5 bytes JMP 0000000076ee0480 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d7e450 5 bytes JMP 0000000076ee03a0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d7e530 5 bytes JMP 0000000076ee02f0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d7e540 5 bytes JMP 0000000076ee0350 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d7e5a0 5 bytes JMP 0000000076ee0290 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d7e630 5 bytes JMP 0000000076ee02b0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d7e650 5 bytes JMP 0000000076ee03d0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d7e660 5 bytes JMP 0000000076ee0330 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d7e6d0 5 bytes JMP 0000000076ee0410 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d7e700 5 bytes JMP 0000000076ee0240 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d7e9c0 5 bytes JMP 0000000076ee01e0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d7ea80 5 bytes JMP 0000000076ee0250 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d7eab0 5 bytes JMP 0000000076ee0490 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d7eac0 5 bytes JMP 0000000076ee04a0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d7eaf0 5 bytes JMP 0000000076ee0300 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d7eb00 5 bytes JMP 0000000076ee0360 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d7eb60 5 bytes JMP 0000000076ee02a0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d7ebb0 5 bytes JMP 0000000076ee02c0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d7ebe0 5 bytes JMP 0000000076ee0380 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d7ebf0 5 bytes JMP 0000000076ee0340 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d7eee0 5 bytes JMP 0000000076ee0440 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d7f0e0 5 bytes JMP 0000000076ee0260 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d7f0f0 5 bytes JMP 0000000076ee0270 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d7f100 5 bytes JMP 0000000076ee0400 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d7f2c0 5 bytes JMP 0000000076ee01f0 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d7f2d0 5 bytes JMP 0000000076ee0210 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d7f340 5 bytes JMP 0000000076ee0200 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d7f3a0 5 bytes JMP 0000000076ee0420 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d7f3b0 5 bytes JMP 0000000076ee0430 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d7f3c0 5 bytes JMP 0000000076ee0220 .text C:\Windows\system32\AUDIODG.EXE[2912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d7f4a0 5 bytes JMP 0000000076ee0280 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010a9e94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010a9c38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010aa654] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff880010aaa50] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010aa8ac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef743741c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef7435f10] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef7435674] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef7435e2c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef7437f48] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef7436a38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef7436ee8] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef7437b58] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef7437ea0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef74378b0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef7434fb4] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef7435d38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2576] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef7437584] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdePort4 fffffa8003c8f2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003c8f2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-5 fffffa8003c8f2c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa8003c8f2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003c8f2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa8003c8f2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa8003c8f2c0 Device \FileSystem\Ntfs \Ntfs fffffa8003c932c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80054f52c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80054f52c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80054f52c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{78DF9754-394C-4211-A6E3-0605E0EB2289} fffffa8004f762c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004f762c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003c8f2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80054f52c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003c8f2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8003c8f2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8003c8f2c0 Device \Driver\atapi \Device\ScsiPort4 fffffa8003c8f2c0 Device \Driver\atapi \Device\ScsiPort5 fffffa8003c8f2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003c8f2c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8003c8f2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c27130] fffffa8004c27130 Trace 3 CLASSPNP.SYS[fffff8800145a43f] -> nt!IofCallDriver -> [0xfffffa8004aa2580] fffffa8004aa2580 Trace 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-5[0xfffffa8004aa4060] fffffa8004aa4060 Trace \Driver\atapi[0xfffffa800465ec90] -> IRP_MJ_CREATE -> 0xfffffa8003c8f2c0 fffffa8003c8f2c0 ---- Processes - GMER 2.1 ---- Library c:\users\nowky\appdata\local\temp\7zs076a\hpslpsvc64.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [208] (HP Network Devices Support/Hewlett-Packard Co.)(2014-09-18 12:13:33) 0000000180000000 Library C:\Users\Nowky\AppData\Local\Temp\sfareca00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [3552](2015-11-0 00000000734a0000 Library C:\Users\Nowky\AppData\Local\Temp\sfamcc00001.dll (*** suspicious ***) @ C:\Program Files (x86)\SpeedFan\speedfan.exe [3552](2014-05-06 0000000010000000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----