GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-03 17:47:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-7 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: gmer.exe; Driver: C:\Users\mati\AppData\Local\Temp\ugldapob.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 000000004a110480 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 000000004a110470 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 000000004a110360 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 000000004a110490 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 000000004a1103d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 000000004a110310 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 000000004a1103a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 000000004a110380 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffffd32a4490} .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 000000004a1102d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 000000004a1102c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 000000004a110300 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 000000004a1103b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 000000004a110440 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 000000004a1103e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 000000004a110220 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 000000004a1104a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 000000004a110390 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 000000004a1102e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 000000004a110340 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 000000004a110280 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 000000004a1102a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 000000004a1103c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 000000004a110320 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 000000004a110410 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 000000004a110230 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 000000004a1103f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 000000004a1101d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 000000004a110240 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 000000004a1104b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 000000004a1104c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 000000004a1102f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 000000004a110350 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 000000004a110290 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 000000004a1102b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 000000004a110370 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 000000004a110330 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 000000004a110460 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 000000004a110420 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 000000004a110250 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 000000004a110260 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 000000004a110400 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 000000004a1101e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 000000004a110200 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 000000004a1101f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 000000004a110430 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 000000004a110450 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 000000004a110210 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 000000004a110270 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 000000004a110480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 000000004a110470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 000000004a110360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 000000004a110490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 000000004a1103d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 000000004a110310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 000000004a1103a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 000000004a110380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffffd32a4490} .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 000000004a1102d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 000000004a1102c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 000000004a110300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 000000004a1103b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 000000004a110440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 000000004a1103e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 000000004a110220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 000000004a1104a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 000000004a110390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 000000004a1102e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 000000004a110340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 000000004a110280 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 000000004a1102a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 000000004a1103c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 000000004a110320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 000000004a110410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 000000004a110230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 000000004a1103f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 000000004a1101d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 000000004a110240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 000000004a1104b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 000000004a1104c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 000000004a1102f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 000000004a110350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 000000004a110290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 000000004a1102b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 000000004a110370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 000000004a110330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 000000004a110460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 000000004a110420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 000000004a110250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 000000004a110260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 000000004a110400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 000000004a1101e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 000000004a110200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 000000004a1101f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 000000004a110430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 000000004a110450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 000000004a110210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 000000004a110270 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\lsass.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\lsm.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\winlogon.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\atiesrxx.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[1192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\atieclxx.exe[1336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Program Files (x86)\Paragon Software\HFS+ for Windows 9.1\apmwinsrv.exe[1824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Program Files\Bonjour\mDNSResponder.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000060480 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000060470 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000060360 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000060490 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000603d0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000060310 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000603a0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000060380 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff891f4490} .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000602d0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000602c0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000060300 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000603b0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000060440 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000603e0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000060220 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000604a0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000060390 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000602e0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000060340 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000060280 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000602a0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000603c0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000060320 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000060410 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000060230 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000603f0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000601d0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000060240 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000604b0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000604c0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000602f0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000060350 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000060290 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000602b0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000060370 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000060330 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000060460 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000060420 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000060250 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000060260 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000060400 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000601e0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000060200 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000601f0 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000060430 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000060450 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000060210 .text C:\Windows\system32\taskhost.exe[1996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000060270 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\System32\svchost.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\SysWOW64\PnkBstrA.exe[1120] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000730317fa 2 bytes CALL 759a11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1120] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073031860 2 bytes CALL 759a11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073031942 2 bytes JMP 76416da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1120] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007303194d 2 bytes JMP 7641e8de C:\Windows\syswow64\WS2_32.dll .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\taskeng.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\Explorer.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\Dwm.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[2608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\system32\svchost.exe[2660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\wbem\wmiprvse.exe[2980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[3144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Program Files\iPod\bin\iPodService.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3608] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000759a8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\SearchIndexer.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\wbem\unsecapp.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000000070480 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000000070470 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000000070360 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000000070490 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 00000000000703d0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000000070310 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 00000000000703a0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000000070380 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0xffffffff89204490} .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 00000000000702d0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 00000000000702c0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000000070300 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 00000000000703b0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000000070440 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 00000000000703e0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000000070220 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 00000000000704a0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000000070390 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 00000000000702e0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000000070340 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000000070280 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 00000000000702a0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 00000000000703c0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000000070320 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000000070410 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000000070230 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 00000000000703f0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 00000000000701d0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000000070240 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 00000000000704b0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 00000000000704c0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 00000000000702f0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000000070350 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000000070290 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 00000000000702b0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000000070370 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000000070330 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000000070460 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000000070420 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000000070250 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000000070260 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000000070400 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 00000000000701e0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000000070200 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 00000000000701f0 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000000070430 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000000070450 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000000070210 .text C:\Windows\System32\svchost.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000000070270 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\LogonUI.exe[5080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\system32\wbem\wmiprvse.exe[4248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e6bbe0 5 bytes JMP 0000000076fd0480 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e6bc30 5 bytes JMP 0000000076fd0470 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e6bd90 5 bytes JMP 0000000076fd0360 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e6bde0 5 bytes JMP 0000000076fd0490 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e6bdf0 5 bytes JMP 0000000076fd03d0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e6bea0 5 bytes JMP 0000000076fd0310 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e6bed0 5 bytes JMP 0000000076fd03a0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e6bef0 1 byte JMP 0000000076fd0380 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 0000000076e6bef2 3 bytes {JMP 0x164490} .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e6bf30 5 bytes JMP 0000000076fd02d0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e6bfb0 5 bytes JMP 0000000076fd02c0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e6bfd0 5 bytes JMP 0000000076fd0300 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e6c010 5 bytes JMP 0000000076fd03b0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000076e6c050 5 bytes JMP 0000000076fd0440 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e6c060 5 bytes JMP 0000000076fd03e0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e6c1c0 5 bytes JMP 0000000076fd0220 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e6c380 5 bytes JMP 0000000076fd04a0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e6c3b0 5 bytes JMP 0000000076fd0390 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e6c490 5 bytes JMP 0000000076fd02e0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e6c4a0 5 bytes JMP 0000000076fd0340 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e6c500 5 bytes JMP 0000000076fd0280 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e6c590 5 bytes JMP 0000000076fd02a0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e6c5b0 5 bytes JMP 0000000076fd03c0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e6c5c0 5 bytes JMP 0000000076fd0320 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e6c630 5 bytes JMP 0000000076fd0410 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e6c660 5 bytes JMP 0000000076fd0230 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076e6c800 5 bytes JMP 0000000076fd03f0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e6c920 5 bytes JMP 0000000076fd01d0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e6c9e0 5 bytes JMP 0000000076fd0240 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e6ca10 5 bytes JMP 0000000076fd04b0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e6ca20 5 bytes JMP 0000000076fd04c0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e6ca50 5 bytes JMP 0000000076fd02f0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e6ca60 5 bytes JMP 0000000076fd0350 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e6cac0 5 bytes JMP 0000000076fd0290 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e6cb10 5 bytes JMP 0000000076fd02b0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e6cb40 5 bytes JMP 0000000076fd0370 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e6cb50 5 bytes JMP 0000000076fd0330 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e6ce40 5 bytes JMP 0000000076fd0460 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtResumeProcess 0000000076e6cfa0 5 bytes JMP 0000000076fd0420 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e6d040 5 bytes JMP 0000000076fd0250 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e6d050 5 bytes JMP 0000000076fd0260 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e6d060 5 bytes JMP 0000000076fd0400 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e6d220 5 bytes JMP 0000000076fd01e0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e6d230 5 bytes JMP 0000000076fd0200 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e6d2a0 5 bytes JMP 0000000076fd01f0 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e6d300 5 bytes JMP 0000000076fd0430 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e6d310 5 bytes JMP 0000000076fd0450 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e6d320 5 bytes JMP 0000000076fd0210 .text C:\Windows\servicing\TrustedInstaller.exe[4376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e6d400 5 bytes JMP 0000000076fd0270 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlUnlockHeap] [7fef3b78164] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlSizeHeap] [7fef3b78260] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlReAllocateHeap] [7fef3b773ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlLockHeap] [7fef3b780e8] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlFreeHeap] [7fef3b77a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlAllocateHeap] [7fef3b771cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlCreateHeap] [7fef3b77e84] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlDestroyHeap] [7fef3b78048] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\kernel32.dll[ntdll.dll!RtlExitUserProcess] [7fef3b782e4] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlAllocateHeap] [7fef3b771cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlFreeHeap] [7fef3b77a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlExitUserProcess] [7fef3b782e4] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlReAllocateHeap] [7fef3b773ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlLockHeap] [7fef3b780e8] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlUnlockHeap] [7fef3b78164] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlCreateHeap] [7fef3b77e84] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlDestroyHeap] [7fef3b78048] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlValidateHeap] [7fef3b781c0] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!RtlWalkHeap] [7fef3b78054] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\MFC80U.DLL[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\MFC80U.DLL[KERNEL32.dll!MoveFileW] [7fef430a6e0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\MFC80U.DLL[KERNEL32.dll!DeleteFileW] [7fef430a5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\MFC80U.DLL[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\MFC80U.DLL[KERNEL32.dll!SetFileAttributesW] [7fef430abe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\MFC80U.DLL[KERNEL32.dll!CopyFileW] [7fef430a184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!CreateFileA] [7fef430a2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!SetFileAttributesA] [7fef430ab7c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!DeleteFileA] [7fef430a580] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!SetFileAttributesW] [7fef430abe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!DeleteFileW] [7fef430a5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!MoveFileW] [7fef430a6e0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!MoveFileA] [7fef430a648] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\MSVCR80.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlFreeHeap] [7fef3b77a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlAllocateHeap] [7fef3b771cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlReAllocateHeap] [7fef3b773ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[ntdll.dll!RtlSizeHeap] [7fef3b78260] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegOpenKeyExW] [7fef430b6d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegCreateKeyExW] [7fef430b4f4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!RegSetValueExW] [7fef430baa8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!DeleteFileW] [7fef430a5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fef430abe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!SetFileAttributesA] [7fef430ab7c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateFileA] [7fef430a2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!RtlAllocateHeap] [7fef3b771cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!RtlFreeHeap] [7fef3b77a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!RtlReAllocateHeap] [7fef3b773ec] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!CopyFileW] [7fef430a184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\ADVAPI32.dll[KERNEL32.dll!DeleteFileW] [7fef430a5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!RtlFreeHeap] [7fef3b77a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!RtlAllocateHeap] [7fef3b771cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!OpenFile] [7fef430a890] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!_lwrite] [7fef430aa1c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!CreateFileA] [7fef430a2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!MoveFileExW] [7fef430a804] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!CopyFileW] [7fef430a184] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!CreateFileA] [7fef430a2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegSetValueExW] [7fef430baa8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegDeleteValueW] [7fef430bbc8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegCreateKeyExW] [7fef430b4f4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!RegOpenKeyExW] [7fef430b6d0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!MoveFileW] [7fef430a6e0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!DeleteFileW] [7fef430a5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!SetFileAttributesW] [7fef430abe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!RtlAllocateHeap] [7fef3b771cc] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[ntdll.dll!RtlFreeHeap] [7fef3b77a7c] C:\Windows\AppPatch\AppPatch64\AcXtrnal.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!CreateFileA] [7fef430a2d8] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!DeleteFileW] [7fef430a5e4] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!SetFileAttributesW] [7fef430abe0] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!CreateFileW] [7fef430a42c] C:\Windows\AppPatch\AppPatch64\AcGenral.DLL IAT C:\Program Files\Logitech\Gaming Software\LWEMon.exe[2176] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [7fefc994230] C:\Windows\system32\apphelp.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\SysWOW64\rundll32.exe [2188:2348] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2352] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2356] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2360] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2364] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2368] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2372] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2376] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2380] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2384] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2388] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2392] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2396] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2400] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2404] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2408] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2412] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2416] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2420] 000000006f5add78 Thread C:\Windows\SysWOW64\rundll32.exe [2188:2424] 000000006f5add78 ---- EOF - GMER 2.2 ----