GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-24 11:38:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.19.0 465,76GB Running: t7suny0y.exe; Driver: C:\Users\PAWEL~1.ZAW\AppData\Local\Temp\kwdyqaog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80003204000 16 bytes [C1, 03, 0F, 85, 78, FF, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 578 fffff80003204012 5 bytes [05, A9, CA, 22, 00] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 000000014a210460 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 000000014a210450 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 000000014a210370 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 000000014a210470 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 000000014a2103e0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 000000014a210320 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 000000014a2103b0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 000000014a210390 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 000000014a2102e0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 000000014a2102d0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 000000014a210310 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 000000014a2103c0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 000000014a2103f0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 000000014a210230 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0xffffffffd346e890} .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 000000014a210480 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 000000014a2103a0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 000000014a2102f0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 000000014a210350 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 000000014a210290 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 000000014a2102b0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 000000014a2103d0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 000000014a210330 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0xffffffffd346e590} .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 000000014a210410 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 000000014a210240 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 000000014a2101e0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 000000014a210250 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0xffffffffd346e090} .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 000000014a210490 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 000000014a2104a0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 000000014a210300 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 000000014a210360 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 000000014a2102a0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 000000014a2102c0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 000000014a210380 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 000000014a210340 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 000000014a210440 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 000000014a210260 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 000000014a210270 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 000000014a210400 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 000000014a2101f0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 000000014a210210 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 000000014a210200 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 000000014a210420 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 000000014a210430 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 000000014a210220 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 000000014a210280 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\wininit.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 000000014a210460 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 000000014a210450 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 000000014a210370 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 000000014a210470 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 000000014a2103e0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 000000014a210320 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 000000014a2103b0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 000000014a210390 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 000000014a2102e0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 000000014a2102d0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 000000014a210310 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 000000014a2103c0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 000000014a2103f0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 000000014a210230 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0xffffffffd346e890} .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 000000014a210480 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 000000014a2103a0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 000000014a2102f0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 000000014a210350 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 000000014a210290 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 000000014a2102b0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 000000014a2103d0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 000000014a210330 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0xffffffffd346e590} .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 000000014a210410 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 000000014a210240 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 000000014a2101e0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 000000014a210250 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0xffffffffd346e090} .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 000000014a210490 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 000000014a2104a0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 000000014a210300 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 000000014a210360 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 000000014a2102a0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 000000014a2102c0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 000000014a210380 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 000000014a210340 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 000000014a210440 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 000000014a210260 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 000000014a210270 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 000000014a210400 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 000000014a2101f0 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 000000014a210210 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 000000014a210200 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 000000014a210420 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 000000014a210430 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 000000014a210220 .text C:\Windows\system32\csrss.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 000000014a210280 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\services.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\lsass.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0xffffffff892ce890} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0xffffffff892ce590} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0xffffffff892ce090} .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\winlogon.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0xffffffff892ce890} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0xffffffff892ce590} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0xffffffff892ce090} .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\System32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\svchost.exe[1228] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\svchost.exe[1348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\System32\spoolsv.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000749c1465 2 bytes [9C, 74] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000749c14bb 2 bytes [9C, 74] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe[2600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Windows\system32\wbem\wmiprvse.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2976] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000749c1465 2 bytes [9C, 74] .text C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe[2976] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000749c14bb 2 bytes [9C, 74] .text ... * 2 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe[3308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3028] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000751587b1 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076da13c0 5 bytes JMP 0000000076f00460 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076da1410 5 bytes JMP 0000000076f00450 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076da1570 5 bytes JMP 0000000076f00370 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076da15c0 5 bytes JMP 0000000076f00470 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076da15d0 5 bytes JMP 0000000076f003e0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076da1680 5 bytes JMP 0000000076f00320 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076da16b0 5 bytes JMP 0000000076f003b0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076da16d0 5 bytes JMP 0000000076f00390 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076da1710 5 bytes JMP 0000000076f002e0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076da1790 5 bytes JMP 0000000076f002d0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076da17b0 5 bytes JMP 0000000076f00310 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076da17f0 5 bytes JMP 0000000076f003c0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076da1840 5 bytes JMP 0000000076f003f0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076da19a0 1 byte JMP 0000000076f00230 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076da19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076da1b60 5 bytes JMP 0000000076f00480 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076da1b90 5 bytes JMP 0000000076f003a0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076da1c70 5 bytes JMP 0000000076f002f0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076da1c80 5 bytes JMP 0000000076f00350 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076da1ce0 5 bytes JMP 0000000076f00290 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076da1d70 5 bytes JMP 0000000076f002b0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076da1d90 5 bytes JMP 0000000076f003d0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076da1da0 1 byte JMP 0000000076f00330 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076da1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076da1e10 5 bytes JMP 0000000076f00410 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076da1e40 5 bytes JMP 0000000076f00240 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076da2100 5 bytes JMP 0000000076f001e0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076da21c0 1 byte JMP 0000000076f00250 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076da21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076da21f0 5 bytes JMP 0000000076f00490 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076da2200 5 bytes JMP 0000000076f004a0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076da2230 5 bytes JMP 0000000076f00300 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076da2240 5 bytes JMP 0000000076f00360 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076da22a0 5 bytes JMP 0000000076f002a0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076da22f0 5 bytes JMP 0000000076f002c0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076da2320 5 bytes JMP 0000000076f00380 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076da2330 5 bytes JMP 0000000076f00340 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076da2620 5 bytes JMP 0000000076f00440 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076da2820 5 bytes JMP 0000000076f00260 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076da2830 5 bytes JMP 0000000076f00270 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076da2840 5 bytes JMP 0000000076f00400 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076da2a00 5 bytes JMP 0000000076f001f0 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076da2a10 5 bytes JMP 0000000076f00210 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076da2a80 5 bytes JMP 0000000076f00200 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076da2ae0 5 bytes JMP 0000000076f00420 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076da2af0 5 bytes JMP 0000000076f00430 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076da2b00 5 bytes JMP 0000000076f00220 .text C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe[5704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076da2be0 5 bytes JMP 0000000076f00280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000749c1465 2 bytes [9C, 74] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[6820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000749c14bb 2 bytes [9C, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\taskhost.exe [2388:3656] 000007fef6962740 Thread C:\Windows\system32\taskhost.exe [2388:4116] 000007fef6911f38 Thread C:\Windows\system32\taskhost.exe [2388:4136] 000007fefb211010 Thread C:\Windows\system32\taskhost.exe [2388:4196] 000007fefe959274 Thread C:\Windows\system32\Dwm.exe [4124:4240] 000007fef573f0d8 Thread C:\Windows\system32\Dwm.exe [4124:4260] 000007fef569abf0 Thread C:\Windows\Explorer.EXE [4148:4548] 000000006f522480 Thread C:\Windows\Explorer.EXE [4148:4560] 000000005c158e00 Thread C:\Windows\Explorer.EXE [4148:4624] 000007fef69e2154 Thread C:\Windows\Explorer.EXE [4148:5092] 000007fefb6f6204 Thread C:\Windows\Explorer.EXE [4148:4324] 000007fef2442f9c Thread C:\Windows\Explorer.EXE [4148:4484] 000007fef22b2118 Thread C:\Windows\Explorer.EXE [4148:6936] 000000006f092e08 Thread C:\Windows\Explorer.EXE [4148:2392] 000000006f092e08 Thread C:\Windows\Explorer.EXE [4148:3852] 000000006f092e08 Thread C:\Windows\Explorer.EXE [4148:6132] 000000006f092e08 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffaf444d9 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffaf444d9 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Users\pawel.zawadzki\AppData\Local\Temp\WERA18A.tmp.resp.erc.xml 0 bytes File C:\Users\pawel.zawadzki\AppData\Local\Temp\WERA18B.tmp.resp 0 bytes ---- EOF - GMER 2.1 ----