GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-17 00:06:20 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001d ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: m9jufwjw.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\fxryrpog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600008b200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600008b210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\csrss.exe[500] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\wininit.exe[576] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\csrss.exe[596] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\winlogon.exe[648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\services.exe[668] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\lsass.exe[676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[768] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[816] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\dwm.exe[904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbbeef169a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbbeef16a2 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbbeef181a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[940] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbbeef1832 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\System32\svchost.exe[996] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[600] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbbeef169a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbbeef16a2 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbbeef181a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\atieclxx.exe[792] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbbeef1832 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\System32\svchost.exe[868] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[1176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\WLANExt.exe[1264] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\conhost.exe[1300] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbbeef169a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbbeef16a2 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbbeef181a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\Explorer.EXE[1472] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbbeef1832 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbbeef169a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbbeef16a2 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbbeef181a 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\System32\spoolsv.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbbeef1832 4 bytes [EF, BE, FB, 7F] .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[1688] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\taskhostex.exe[1716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2012] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe[1144] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\CxAudMsg64.exe[1324] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\dashost.exe[1648] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Windows\System32\LenovoWiFiHotspotSvr.exe[2076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files\Lenovo PhoneCompanion\PhoneCompanionPusher.exe[2580] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files\CyberLink\Shared files\RichVideo64.exe[2616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files (x86)\Lenovo\Lenovo VeriFace Pro\VfConnectorService.exe[2676] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[3532] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\svchost.exe[3560] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Windows\System32\WUDFHost.exe[3916] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\System32\svchost.exe[3928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\SearchIndexer.exe[4660] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files\CONEXANT\ForteConfig\fmapp.exe[5016] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\DllHost.exe[5108] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe[4292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4352] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe[4432] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Windows\RTFTrack.exe[4788] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe[4964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Users\Przemek\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[3748] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\wbem\unsecapp.exe[4588] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[5156] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[5360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffbbf731720 5 bytes JMP 00007ffc3f860460 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffbbf731770 5 bytes JMP 00007ffc3f860450 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffbbf7318d0 5 bytes JMP 00007ffc3f860370 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffbbf731920 5 bytes JMP 00007ffc3f860470 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffbbf731930 5 bytes JMP 00007ffc3f8603e0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffbbf7319e0 5 bytes JMP 00007ffc3f860320 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffbbf731a10 5 bytes JMP 00007ffc3f8603b0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffbbf731a30 5 bytes JMP 00007ffc3f860390 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffbbf731a70 5 bytes JMP 00007ffc3f8602e0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffbbf731af0 5 bytes JMP 00007ffc3f8602d0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffbbf731b10 5 bytes JMP 00007ffc3f860310 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffbbf731b50 5 bytes JMP 00007ffc3f8603c0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffbbf731ba0 5 bytes JMP 00007ffc3f8603f0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffbbf731d00 5 bytes JMP 00007ffc3f860230 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffbbf731ef0 1 byte JMP 00007ffc3f860480 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffbbf731ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffbbf731f20 5 bytes JMP 00007ffc3f8603a0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffbbf732040 5 bytes JMP 00007ffc3f8602f0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffbbf732060 5 bytes JMP 00007ffc3f860350 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffbbf7320d0 5 bytes JMP 00007ffc3f860290 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffbbf732160 5 bytes JMP 00007ffc3f8602b0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffbbf732180 5 bytes JMP 00007ffc3f8603d0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffbbf732190 5 bytes JMP 00007ffc3f860330 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffbbf732240 5 bytes JMP 00007ffc3f860410 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffbbf732270 5 bytes JMP 00007ffc3f860240 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffbbf732590 5 bytes JMP 00007ffc3f8601e0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffbbf732650 5 bytes JMP 00007ffc3f860250 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffbbf732680 5 bytes JMP 00007ffc3f860490 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffbbf732690 5 bytes JMP 00007ffc3f8604a0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffbbf7326c0 5 bytes JMP 00007ffc3f860300 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffbbf7326d0 1 byte JMP 00007ffc3f860360 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffbbf7326d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffbbf732730 5 bytes JMP 00007ffc3f8602a0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffbbf732780 5 bytes JMP 00007ffc3f8602c0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffbbf7327b0 5 bytes JMP 00007ffc3f860380 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffbbf7327c0 5 bytes JMP 00007ffc3f860340 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffbbf732ad0 5 bytes JMP 00007ffc3f860440 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffbbf732cd0 1 byte JMP 00007ffc3f860260 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffbbf732cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffbbf732ce0 1 byte JMP 00007ffc3f860270 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffbbf732ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffbbf732d00 5 bytes JMP 00007ffc3f860400 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffbbf732ee0 5 bytes JMP 00007ffc3f8601f0 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffbbf732ef0 5 bytes JMP 00007ffc3f860210 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffbbf732f80 5 bytes JMP 00007ffc3f860200 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffbbf732ff0 5 bytes JMP 00007ffc3f860420 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffbbf733000 5 bytes JMP 00007ffc3f860430 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffbbf733010 5 bytes JMP 00007ffc3f860220 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffbbf733120 2 bytes JMP 00007ffc3f860280 .text C:\WINDOWS\system32\rundll32.exe[3616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffbbf733123 2 bytes [12, 80] ---- Devices - GMER 2.1 ---- Device \Driver\amd_sata \Device\RaidPort0 ffffe000ae8aa2c0 Device \Driver\cdrom \Device\CdRom0 ffffe000b06002c0 Device \Driver\amd_sata \Device\0000001d ffffe000ae8aa2c0 Device \Driver\amd_sata \Device\ScsiPort0 ffffe000ae8aa2c0 Device \Driver\amd_sata \Device\0000001e ffffe000ae8aa2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe000ae8ac2c0]<< sptd.sys amd_xata.sys storport.sys hal.dll amd_sata.sys ffffe000ae8ac2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000afd3f350] ffffe000afd3f350 Trace 3 CLASSPNP.SYS[fffff8004199f27b] -> nt!IofCallDriver -> [0xffffe000afc689a0] ffffe000afc689a0 Trace \Driver\amd_xata[0xffffe000afac46f0] -> IRP_MJ_CREATE -> 0xffffe000ae8ac2c0 ffffe000ae8ac2c0 Trace 5 amd_xata.sys[fffff800415f35da] -> nt!IofCallDriver -> \Device\0000001d[0xffffe000afc6a060] ffffe000afc6a060 Trace \Driver\amd_sata[0xffffe000afac4060] -> IRP_MJ_CREATE -> 0xffffe000ae8aa2c0 ffffe000ae8aa2c0 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [596:620] fffff96000873b90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----