GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-26 16:04:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EZEX-00RKKA0 rev.80.00A80 931,51GB Running: erjcymmy.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 00000000497e0480 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 00000000497e0470 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 00000000497e0360 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 00000000497e0490 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 00000000497e03d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 00000000497e0310 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 00000000497e03a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 00000000497e0380 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0xffffffffd2994490} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000497e02d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000497e02c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 00000000497e0300 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 00000000497e03b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 00000000497e0440 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 00000000497e03e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 00000000497e0220 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 00000000497e04a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 00000000497e0390 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 00000000497e02e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 00000000497e0340 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 00000000497e0280 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000497e02a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 00000000497e03c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 00000000497e0320 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 00000000497e0410 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 00000000497e0230 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 00000000497e03f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 00000000497e01d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 00000000497e0240 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 00000000497e04b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 00000000497e04c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 00000000497e02f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 00000000497e0350 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 00000000497e0290 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000497e02b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 00000000497e0370 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 00000000497e0330 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 00000000497e0460 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 00000000497e0420 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 00000000497e0250 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 00000000497e0260 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 00000000497e0400 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 00000000497e01e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 00000000497e0200 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 00000000497e01f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 00000000497e0430 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 00000000497e0450 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 00000000497e0210 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 00000000497e0270 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000000040480 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000000040470 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000000040360 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000000040490 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 00000000000403d0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000000040310 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 00000000000403a0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000000040380 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0xffffffff891f4490} .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000402d0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000402c0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000000040300 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 00000000000403b0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000040440 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 00000000000403e0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000000040220 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 00000000000404a0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000000040390 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 00000000000402e0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000000040340 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000040280 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000402a0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 00000000000403c0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000000040320 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000000040410 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000000040230 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 00000000000403f0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 00000000000401d0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000000040240 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 00000000000404b0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 00000000000404c0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 00000000000402f0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000000040350 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000040290 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000402b0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000000040370 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000000040330 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000000040460 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000000040420 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000000040250 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000000040260 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000000040400 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 00000000000401e0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000000040200 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 00000000000401f0 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000000040430 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000000040450 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000000040210 .text C:\Windows\system32\csrss.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000000040270 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\services.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000000040480 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000000040470 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000000040360 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000000040490 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 00000000000403d0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000000040310 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 00000000000403a0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000000040380 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0xffffffff891f4490} .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000402d0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000402c0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000000040300 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 00000000000403b0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000040440 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 00000000000403e0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000000040220 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 00000000000404a0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000000040390 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 00000000000402e0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000000040340 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000040280 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000402a0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 00000000000403c0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000000040320 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000000040410 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000000040230 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 00000000000403f0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 00000000000401d0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000000040240 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 00000000000404b0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 00000000000404c0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 00000000000402f0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000000040350 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000040290 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000402b0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000000040370 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000000040330 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000000040460 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000000040420 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000000040250 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000000040260 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000000040400 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 00000000000401e0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000000040200 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 00000000000401f0 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000000040430 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000000040450 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000000040210 .text C:\Windows\system32\winlogon.exe[704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000000040270 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\lsass.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\lsm.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0xffffffff89224490} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\spoolsv.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\taskeng.exe[1456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[1492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\taskhost.exe[1888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\Dwm.exe[1948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\Explorer.EXE[1972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[1208] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\igfxtray.exe[1244] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\hkcmd.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\igfxpers.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[2072] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075388791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\taskeng.exe[2440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Program Files (x86)\Auslogics\BoostSpeed\BoostSpeed.exe[2488] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 00000000753834b1 4 bytes {CALL 0xffffffff8b0deb3c} .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\svchost.exe[2576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\imdsksvc.exe[4956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\SysWOW64\PnkBstrA.exe[4284] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000072d517fa 2 bytes CALL 753811a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4284] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072d51860 2 bytes CALL 753811a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072d51942 2 bytes JMP 74a97089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[4284] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000072d5194d 2 bytes JMP 74a9cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[4340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text D:\boxoffplay\StreamingCore.exe[4692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\SysWOW64\vmnat.exe[4780] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 4 00000000712913b0 2 bytes JMP 76015628 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[4780] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 20 00000000712913c0 2 bytes CALL 75979cee C:\Windows\syswow64\msvcrt.dll .text ... * 20 .text C:\Windows\SysWOW64\vmnat.exe[4780] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 22 000000007129153e 2 bytes CALL 760a7744 C:\Windows\syswow64\SHELL32.dll .text C:\Windows\SysWOW64\vmnat.exe[4780] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 43 0000000071291553 2 bytes CALL 753810ff C:\Windows\syswow64\kernel32.dll .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\svchost.exe[4820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074a81401 2 bytes JMP 753ab263 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074a81419 2 bytes JMP 753ab38e C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074a81431 2 bytes JMP 754290f1 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074a8144a 2 bytes CALL 753848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074a814dd 2 bytes JMP 754289ea C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074a814f5 2 bytes JMP 75428bc0 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074a8150d 2 bytes JMP 754288e0 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074a81525 2 bytes JMP 75428caa C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074a8153d 2 bytes JMP 7539fce8 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074a81555 2 bytes JMP 753a6937 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074a8156d 2 bytes JMP 754291a9 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074a81585 2 bytes JMP 75428d0a C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074a8159d 2 bytes JMP 754288a4 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074a815b5 2 bytes JMP 7539fd81 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074a815cd 2 bytes JMP 753ab324 C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074a816b2 2 bytes JMP 7542906c C:\Windows\syswow64\kernel32.dll .text D:\virtualne_maszyny\vmware-authd.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074a816bd 2 bytes JMP 75428839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\wbem\unsecapp.exe[2360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text D:\hamachi\x64\hamachi-2.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text D:\hamachi\x64\LMIGuardianSvc.exe[4784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\wbem\wmiprvse.exe[5152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[6100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExW + 17 0000000074a81401 2 bytes JMP 753ab263 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!EnumProcessModules + 17 0000000074a81419 2 bytes JMP 753ab38e C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 17 0000000074a81431 2 bytes JMP 754290f1 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 42 0000000074a8144a 2 bytes CALL 753848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!EnumDeviceDrivers + 17 0000000074a814dd 2 bytes JMP 754289ea C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameA + 17 0000000074a814f5 2 bytes JMP 75428bc0 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!QueryWorkingSetEx + 17 0000000074a8150d 2 bytes JMP 754288e0 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetDeviceDriverBaseNameW + 17 0000000074a81525 2 bytes JMP 75428caa C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameW + 17 0000000074a8153d 2 bytes JMP 7539fce8 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!EnumProcesses + 17 0000000074a81555 2 bytes JMP 753a6937 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetProcessMemoryInfo + 17 0000000074a8156d 2 bytes JMP 754291a9 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetPerformanceInfo + 17 0000000074a81585 2 bytes JMP 75428d0a C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!QueryWorkingSet + 17 0000000074a8159d 2 bytes JMP 754288a4 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetModuleBaseNameA + 17 0000000074a815b5 2 bytes JMP 7539fd81 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetModuleFileNameExA + 17 0000000074a815cd 2 bytes JMP 753ab324 C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 20 0000000074a816b2 2 bytes JMP 7542906c C:\Windows\syswow64\kernel32.dll .text D:\hamachi\hamachi-2-ui.exe[6152] C:\Windows\syswow64\PsApi.dll!GetProcessImageFileNameW + 31 0000000074a816bd 2 bytes JMP 75428839 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[6644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\System32\svchost.exe[6792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0xffffffff89224490} .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\wbem\wmiprvse.exe[7096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e4bbe0 5 bytes JMP 0000000076fb0480 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e4bc30 5 bytes JMP 0000000076fb0470 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e4bd90 5 bytes JMP 0000000076fb0360 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e4bde0 5 bytes JMP 0000000076fb0490 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e4bdf0 5 bytes JMP 0000000076fb03d0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e4bea0 5 bytes JMP 0000000076fb0310 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e4bed0 5 bytes JMP 0000000076fb03a0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e4bef0 1 byte JMP 0000000076fb0380 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e4bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e4bf30 5 bytes JMP 0000000076fb02d0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e4bfb0 5 bytes JMP 0000000076fb02c0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e4bfd0 5 bytes JMP 0000000076fb0300 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e4c010 5 bytes JMP 0000000076fb03b0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e4c050 5 bytes JMP 0000000076fb0440 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e4c060 5 bytes JMP 0000000076fb03e0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e4c1c0 5 bytes JMP 0000000076fb0220 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e4c380 5 bytes JMP 0000000076fb04a0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e4c3b0 5 bytes JMP 0000000076fb0390 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e4c490 5 bytes JMP 0000000076fb02e0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e4c4a0 5 bytes JMP 0000000076fb0340 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e4c500 5 bytes JMP 0000000076fb0280 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e4c590 5 bytes JMP 0000000076fb02a0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e4c5b0 5 bytes JMP 0000000076fb03c0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e4c5c0 5 bytes JMP 0000000076fb0320 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e4c630 5 bytes JMP 0000000076fb0410 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e4c660 5 bytes JMP 0000000076fb0230 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e4c800 5 bytes JMP 0000000076fb03f0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e4c920 5 bytes JMP 0000000076fb01d0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e4c9e0 5 bytes JMP 0000000076fb0240 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e4ca10 5 bytes JMP 0000000076fb04b0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e4ca20 5 bytes JMP 0000000076fb04c0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e4ca50 5 bytes JMP 0000000076fb02f0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e4ca60 5 bytes JMP 0000000076fb0350 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e4cac0 5 bytes JMP 0000000076fb0290 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e4cb10 5 bytes JMP 0000000076fb02b0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e4cb40 5 bytes JMP 0000000076fb0370 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e4cb50 5 bytes JMP 0000000076fb0330 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e4ce40 5 bytes JMP 0000000076fb0460 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e4cfa0 5 bytes JMP 0000000076fb0420 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e4d040 5 bytes JMP 0000000076fb0250 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e4d050 5 bytes JMP 0000000076fb0260 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e4d060 5 bytes JMP 0000000076fb0400 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e4d220 5 bytes JMP 0000000076fb01e0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e4d230 5 bytes JMP 0000000076fb0200 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e4d2a0 5 bytes JMP 0000000076fb01f0 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e4d300 5 bytes JMP 0000000076fb0430 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e4d310 5 bytes JMP 0000000076fb0450 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e4d320 5 bytes JMP 0000000076fb0210 .text C:\Windows\system32\svchost.exe[5836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e4d400 5 bytes JMP 0000000076fb0270 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074a81401 2 bytes JMP 753ab263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074a81419 2 bytes JMP 753ab38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074a81431 2 bytes JMP 754290f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074a8144a 2 bytes CALL 753848ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074a814dd 2 bytes JMP 754289ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074a814f5 2 bytes JMP 75428bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074a8150d 2 bytes JMP 754288e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074a81525 2 bytes JMP 75428caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074a8153d 2 bytes JMP 7539fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074a81555 2 bytes JMP 753a6937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074a8156d 2 bytes JMP 754291a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074a81585 2 bytes JMP 75428d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074a8159d 2 bytes JMP 754288a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074a815b5 2 bytes JMP 7539fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074a815cd 2 bytes JMP 753ab324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074a816b2 2 bytes JMP 7542906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5632] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074a816bd 2 bytes JMP 75428839 C:\Windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107ce94] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800107cc38] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800107d614] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800107da10] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800107d86c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.2 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa80066da2c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa80066da2c0 Device \Driver\atapi \Device\Ide\IdePort1 fffffa80066da2c0 Device \Driver\atapi \Device\Ide\IdePort2 fffffa80066da2c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa80066da2c0 Device \Driver\atapi \Device\Ide\IdePort3 fffffa80066da2c0 Device \Driver\acdek7u0 \Device\Scsi\acdek7u01 fffffa8007e122c0 Device \Driver\acdek7u0 \Device\Scsi\acdek7u01Port4Path0Target0Lun0 fffffa8007e122c0 Device \FileSystem\Ntfs \Ntfs fffffa80070cf2c0 Device \FileSystem\fastfat \Fat fffffa8009d7f2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2813E9D4-A351-4FBC-9859-8E66606FE33D} fffffa8007ae42c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8007d2d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa80075e72c0 Device \Driver\cdrom \Device\CdRom1 fffffa80075e72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{21B88457-2363-4B3E-99F8-3E5BD8987E51} fffffa8007ae42c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8007d2d2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8007d2d2c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8007ae42c0 Device \Driver\atapi \Device\ScsiPort0 fffffa80066da2c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8007d2d2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa80066da2c0 Device \Driver\atapi \Device\ScsiPort2 fffffa80066da2c0 Device \Driver\atapi \Device\ScsiPort3 fffffa80066da2c0 Device \Driver\acdek7u0 \Device\ScsiPort4 fffffa8007e122c0 ---- Trace I/O - GMER 2.2 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80066da2c0]<< sptd.sys ataport.SYS pciide.sys fffffa80066da2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007858790] fffffa8007858790 Trace 3 CLASSPNP.SYS[fffff88000dbe43f] -> nt!IofCallDriver -> [0xfffffa800731b9b0] fffffa800731b9b0 Trace 5 ACPI.sys[fffff880011a37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80074d6060] fffffa80074d6060 Trace \Driver\atapi[0xfffffa80070f7980] -> IRP_MJ_CREATE -> 0xfffffa80066da2c0 fffffa80066da2c0 ---- Modules - GMER 2.2 ---- Module \SystemRoot\System32\Drivers\acdek7u0.SYS fffff88004d7a000-fffff88004dc5000 (307200 bytes) ---- Threads - GMER 2.2 ---- Thread C:\Windows\System32\svchost.exe [4820:6140] 000007fef1f19688 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\alcohol\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x05 0x9F 0x8C 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0xE9 0x03 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8E 0x19 0xD9 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\alcohol\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x05 0x9F 0x8C 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0xE9 0x03 0x59 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8E 0x19 0xD9 0xFE ... ---- Files - GMER 2.2 ---- File C:\Users\Admin\AppData\Local\temp\AdobeARM.log 1937 bytes File C:\Users\Admin\AppData\Local\temp\Skype\DbTemp 0 bytes File C:\Users\Admin\AppData\Local\temp\_avast_ 0 bytes File C:\Users\Admin\AppData\Local\temp\~DFD7FB0463704BC4D4.TMP 16384 bytes ---- EOF - GMER 2.2 ----