GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-10 23:48:39 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SSD_830_Series rev.CXM03B1Q 119,24GB Running: 9b12p6vm.exe; Driver: C:\Users\Tata\AppData\Local\Temp\pxldapog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff880044fbd8c 12 bytes {MOV RAX, 0xfffffa8007dca2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 000000014a230450 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 000000014a230440 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0xffffffffd3502990} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 000000014a230360 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 000000014a230460 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 000000014a2303d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 000000014a230310 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 000000014a2303a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 000000014a230380 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 000000014a2302d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 000000014a2302c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0xffffffffd3502490} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 000000014a230300 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 000000014a2303b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 000000014a2303e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 000000014a230220 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 000000014a230470 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 000000014a230390 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 000000014a2302e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 000000014a230340 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 000000014a230280 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 000000014a2302a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0xffffffffd3501e90} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 000000014a2303c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0xffffffffd3501f90} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 000000014a230320 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 000000014a230400 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 000000014a230230 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 000000014a2301d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 000000014a230240 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 000000014a230480 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 000000014a230490 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 000000014a2302f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 000000014a230350 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 000000014a230290 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 000000014a2302b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 000000014a230370 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 000000014a230330 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 000000014a230430 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 000000014a230250 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0xffffffffd3501390} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 000000014a230260 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0xffffffffd3501390} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 000000014a2303f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 000000014a2301e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 000000014a230200 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 000000014a2301f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 000000014a230410 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0xffffffffd3501290} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 000000014a230420 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0xffffffffd3501290} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 000000014a230210 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 000000014a230270 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\wininit.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 000000014a230450 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 000000014a230440 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0xffffffffd3502990} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 000000014a230360 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 000000014a230460 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 000000014a2303d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 000000014a230310 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 000000014a2303a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 000000014a230380 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 000000014a2302d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 000000014a2302c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0xffffffffd3502490} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 000000014a230300 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 000000014a2303b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 000000014a2303e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 000000014a230220 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 000000014a230470 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 000000014a230390 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 000000014a2302e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 000000014a230340 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 000000014a230280 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 000000014a2302a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0xffffffffd3501e90} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 000000014a2303c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0xffffffffd3501f90} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 000000014a230320 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 000000014a230400 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 000000014a230230 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 000000014a2301d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 000000014a230240 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 000000014a230480 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 000000014a230490 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 000000014a2302f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 000000014a230350 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 000000014a230290 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 000000014a2302b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 000000014a230370 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 000000014a230330 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 000000014a230430 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 000000014a230250 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0xffffffffd3501390} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 000000014a230260 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0xffffffffd3501390} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 000000014a2303f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 000000014a2301e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 000000014a230200 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 000000014a2301f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 000000014a230410 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0xffffffffd3501290} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 000000014a230420 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0xffffffffd3501290} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 000000014a230210 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 000000014a230270 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000100070440 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0xffffffff89342990} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 00000001000702c0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0xffffffff89342490} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 00000001000702a0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0xffffffff89341e90} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 00000001000703c0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0xffffffff89341f90} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0xffffffff89341390} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000100070260 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0xffffffff89341390} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000100070410 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0xffffffff89341290} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000100070420 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0xffffffff89341290} .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\lsass.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\lsm.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0xffffffff89342990} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0xffffffff89342490} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0xffffffff89341e90} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0xffffffff89341f90} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 00000001000701d0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0xffffffff89341390} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0xffffffff89341390} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0xffffffff89341290} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0xffffffff89341290} .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\atieclxx.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\nvvsvc.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\System32\spoolsv.exe[1576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1860] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe[1976] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\winx64\lmgrd.exe[2044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe[2208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\JobManagerService.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Program Files (x86)\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\svchost.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe[2780] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\lmgrd.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Siemens\ugslmd.exe[3696] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\System32\svchost.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\servicing\TrustedInstaller.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0xffffffff89332990} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000100060460 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000100060310 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0xffffffff89332490} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000100060220 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000100060390 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000100060280 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0xffffffff89331e90} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 00000001000603c0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0xffffffff89331f90} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000100060320 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 00000001000601d0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000100060490 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0xffffffff89331390} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0xffffffff89331390} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000100060200 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0xffffffff89331290} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0xffffffff89331290} .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\taskeng.exe[3792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\Dwm.exe[4176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\Explorer.EXE[4236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[4956] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[5060] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000076ed000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[5060] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000076f5fbaa 5 bytes JMP 0000000176f19c63 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[4764] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 00000001001d0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 00000001001d0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0xffffffff894a2990} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 00000001001d0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 00000001001d0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 00000001001d03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 00000001001d0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 00000001001d03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 00000001001d0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 00000001001d02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 00000001001d02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0xffffffff894a2490} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 00000001001d0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 00000001001d03b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 00000001001d03e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 00000001001d0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 00000001001d0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 00000001001d0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 00000001001d02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 00000001001d0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 00000001001d0280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 00000001001d02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0xffffffff894a1e90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 00000001001d03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0xffffffff894a1f90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 00000001001d0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 00000001001d0400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 00000001001d0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 00000001001d01d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 00000001001d0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 00000001001d0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 00000001001d0490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 00000001001d02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 00000001001d0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 00000001001d0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 00000001001d02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 00000001001d0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 00000001001d0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 00000001001d0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 00000001001d0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0xffffffff894a1390} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 00000001001d0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0xffffffff894a1390} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 00000001001d03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 00000001001d01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 00000001001d0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 00000001001d01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 00000001001d0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0xffffffff894a1290} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 00000001001d0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0xffffffff894a1290} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 00000001001d0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 00000001001d0270 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[4736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4532] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076768781 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075701401 2 bytes JMP 7678b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075701419 2 bytes JMP 7678b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075701431 2 bytes JMP 76808fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007570144a 2 bytes CALL 7676489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757014dd 2 bytes JMP 768088c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757014f5 2 bytes JMP 76808aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007570150d 2 bytes JMP 768087ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075701525 2 bytes JMP 76808b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007570153d 2 bytes JMP 7677fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075701555 2 bytes JMP 767868ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007570156d 2 bytes JMP 76809089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075701585 2 bytes JMP 76808bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007570159d 2 bytes JMP 7680877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757015b5 2 bytes JMP 7677fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757015cd 2 bytes JMP 7678b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757016b2 2 bytes JMP 76808f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4232] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757016bd 2 bytes JMP 76808713 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\wbem\wmiprvse.exe[5312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\SearchIndexer.exe[3280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\prevhost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d2da60 5 bytes JMP 0000000076e90450 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d2dab0 1 byte JMP 0000000076e90440 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 0000000076d2dab2 3 bytes {JMP 0x162990} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076d2dc10 5 bytes JMP 0000000076e90360 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d2dc60 5 bytes JMP 0000000076e90460 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d2dc70 5 bytes JMP 0000000076e903d0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d2dd20 5 bytes JMP 0000000076e90310 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d2dd50 5 bytes JMP 0000000076e903a0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076d2dd70 5 bytes JMP 0000000076e90380 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d2ddb0 5 bytes JMP 0000000076e902d0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d2de30 1 byte JMP 0000000076e902c0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 0000000076d2de32 3 bytes {JMP 0x162490} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d2de50 5 bytes JMP 0000000076e90300 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d2de90 5 bytes JMP 0000000076e903b0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d2dee0 5 bytes JMP 0000000076e903e0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d2e040 5 bytes JMP 0000000076e90220 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d2e200 5 bytes JMP 0000000076e90470 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d2e230 5 bytes JMP 0000000076e90390 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d2e310 5 bytes JMP 0000000076e902e0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d2e320 5 bytes JMP 0000000076e90340 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d2e380 5 bytes JMP 0000000076e90280 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d2e410 1 byte JMP 0000000076e902a0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 2 0000000076d2e412 3 bytes {JMP 0x161e90} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d2e430 1 byte JMP 0000000076e903c0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 2 0000000076d2e432 3 bytes {JMP 0x161f90} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d2e440 5 bytes JMP 0000000076e90320 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d2e4b0 5 bytes JMP 0000000076e90400 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d2e4e0 5 bytes JMP 0000000076e90230 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d2e7a0 5 bytes JMP 0000000076e901d0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d2e860 5 bytes JMP 0000000076e90240 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d2e890 5 bytes JMP 0000000076e90480 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d2e8a0 5 bytes JMP 0000000076e90490 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d2e8d0 5 bytes JMP 0000000076e902f0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d2e8e0 5 bytes JMP 0000000076e90350 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d2e940 5 bytes JMP 0000000076e90290 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d2e990 5 bytes JMP 0000000076e902b0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076d2e9c0 5 bytes JMP 0000000076e90370 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d2e9d0 5 bytes JMP 0000000076e90330 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d2ecc0 5 bytes JMP 0000000076e90430 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d2eec0 1 byte JMP 0000000076e90250 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 0000000076d2eec2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d2eed0 1 byte JMP 0000000076e90260 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 0000000076d2eed2 3 bytes {JMP 0x161390} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d2eee0 5 bytes JMP 0000000076e903f0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d2f0a0 5 bytes JMP 0000000076e901e0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d2f0b0 5 bytes JMP 0000000076e90200 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d2f120 5 bytes JMP 0000000076e901f0 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d2f180 1 byte JMP 0000000076e90410 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 2 0000000076d2f182 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d2f190 1 byte JMP 0000000076e90420 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread + 2 0000000076d2f192 3 bytes {JMP 0x161290} .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d2f1a0 5 bytes JMP 0000000076e90210 .text C:\Windows\system32\AUDIODG.EXE[6136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d2f280 5 bytes JMP 0000000076e90270 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001051f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001051cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800105269c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001052a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010528f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP4T1L0-a fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdePort4 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdePort5 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-8 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80069e02c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80069e02c0 Device \Driver\ankh7cae \Device\Scsi\ankh7cae1 fffffa8007e402c0 Device \Driver\ankh7cae \Device\Scsi\ankh7cae1Port6Path0Target0Lun0 fffffa8007e402c0 Device \FileSystem\Ntfs \Ntfs fffffa80073162c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa8007dcc2c0 Device \Driver\usbehci \Device\USBFDO-3 fffffa8007dda2c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007dda2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8007ac42c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{77C47893-D81C-4BA6-9B9D-433FB4440F87} fffffa8007bb72c0 Device \Driver\cdrom \Device\CdRom1 fffffa8007ac42c0 Device \Driver\usbehci \Device\USBPDO-6 fffffa8007dda2c0 Device \Driver\usbohci \Device\USBFDO-4 fffffa8007dcc2c0 Device \Driver\usbohci \Device\USBPDO-2 fffffa8007dcc2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8007dcc2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{739EFEB3-2ABF-43EE-8FFE-4A6D9B6ADB15} fffffa8007bb72c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa8007dcc2c0 Device \Driver\usbehci \Device\USBPDO-3 fffffa8007dda2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007dda2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{89254FFF-5020-45C7-A6DC-848239825766} fffffa8007bb72c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007bb72c0 Device \Driver\usbehci \Device\USBFDO-6 fffffa8007dda2c0 Device \Driver\usbohci \Device\USBPDO-4 fffffa8007dcc2c0 Device \Driver\usbohci \Device\USBFDO-2 fffffa8007dcc2c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80069e02c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8007dcc2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80069e02c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80069e02c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80069e02c0 Device \Driver\atapi \Device\ScsiPort4 fffffa80069e02c0 Device \Driver\atapi \Device\ScsiPort5 fffffa80069e02c0 Device \Driver\ankh7cae \Device\ScsiPort6 fffffa8007e402c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80069e02c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa80069e02c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa800791b060] fffffa800791b060 Trace 3 CLASSPNP.SYS[fffff8800145143f] -> nt!IofCallDriver -> [0xfffffa8007914040] fffffa8007914040 Trace 5 ACPI.sys[fffff880011a07a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007903060] fffffa8007903060 Trace \Driver\atapi[0xfffffa80073a9a70] -> IRP_MJ_CREATE -> 0xfffffa80069e02c0 fffffa80069e02c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\ankh7cae.SYS fffff880048b9000-fffff88004905000 (311296 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0xCA 0xD8 0x61 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0F 0xB8 0xEA 0xC9 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC6 0x21 0xFC 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????????????????s????