GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-14 12:32:01 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10JPVT-24A1YT0 rev.01.01A01 931,51GB Running: lcur4btd.exe; Driver: C:\Users\Hubert\AppData\Local\Temp\uxndrpog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\System32\smss.exe[448] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\csrss.exe[608] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\wininit.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\services.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd1f94169a 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd1f9416a2 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd1f94181a 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\lsass.exe[844] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd1f941832 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[928] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[980] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd1f94169a 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd1f9416a2 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd1f94181a 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\atiesrxx.exe[484] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd1f941832 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[1008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[1212] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[1248] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\WLANExt.exe[1404] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\conhost.exe[1428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\System32\spoolsv.exe[1680] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1832] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\dashost.exe[1884] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\Program Files\Elantech\ETDService.exe[1936] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1968] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe[1068] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[3052] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\svchost.exe[3416] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\SearchIndexer.exe[3480] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\System32\alg.exe[3640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\Windows\System32\WUDFHost.exe[3904] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\rundll32.exe[6056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\CxAudMsg64.exe[7036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\System32\svchost.exe[4528] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\csrss.exe[2332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] .text C:\WINDOWS\system32\atieclxx.exe[7568] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd1f94169a 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[7568] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd1f9416a2 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[7568] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd1f94181a 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\atieclxx.exe[7568] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd1f941832 4 bytes [94, 1F, FD, 7F] .text C:\Windows\System32\igfxpers.exe[4192] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd1f94169a 4 bytes [94, 1F, FD, 7F] .text C:\Windows\System32\igfxpers.exe[4192] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd1f9416a2 4 bytes [94, 1F, FD, 7F] .text C:\Windows\System32\igfxpers.exe[4192] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd1f94181a 4 bytes [94, 1F, FD, 7F] .text C:\Windows\System32\igfxpers.exe[4192] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd1f941832 4 bytes [94, 1F, FD, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[6064] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffd1f94169a 4 bytes [94, 1F, FD, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[6064] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffd1f9416a2 4 bytes [94, 1F, FD, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[6064] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffd1f94181a 4 bytes [94, 1F, FD, 7F] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[6064] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffd1f941832 4 bytes [94, 1F, FD, 7F] .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffd21d91720 5 bytes JMP 00007ffda1ec0460 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffd21d91770 5 bytes JMP 00007ffda1ec0450 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffd21d918d0 5 bytes JMP 00007ffda1ec0370 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffd21d91920 5 bytes JMP 00007ffda1ec0470 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffd21d91930 5 bytes JMP 00007ffda1ec03e0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffd21d919e0 5 bytes JMP 00007ffda1ec0320 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffd21d91a10 5 bytes JMP 00007ffda1ec03b0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffd21d91a30 5 bytes JMP 00007ffda1ec0390 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffd21d91a70 5 bytes JMP 00007ffda1ec02e0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffd21d91af0 5 bytes JMP 00007ffda1ec02d0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffd21d91b10 5 bytes JMP 00007ffda1ec0310 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffd21d91b50 5 bytes JMP 00007ffda1ec03c0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffd21d91ba0 5 bytes JMP 00007ffda1ec03f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffd21d91d00 5 bytes JMP 00007ffda1ec0230 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffd21d91ef0 1 byte JMP 00007ffda1ec0480 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 00007ffd21d91ef2 3 bytes {JMP 0xffffffff8012e590} .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffd21d91f20 5 bytes JMP 00007ffda1ec03a0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffd21d92040 5 bytes JMP 00007ffda1ec02f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffd21d92060 5 bytes JMP 00007ffda1ec0350 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffd21d920d0 5 bytes JMP 00007ffda1ec0290 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffd21d92160 5 bytes JMP 00007ffda1ec02b0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffd21d92180 5 bytes JMP 00007ffda1ec03d0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffd21d92190 5 bytes JMP 00007ffda1ec0330 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffd21d92240 5 bytes JMP 00007ffda1ec0410 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffd21d92270 5 bytes JMP 00007ffda1ec0240 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffd21d92590 5 bytes JMP 00007ffda1ec01e0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffd21d92650 5 bytes JMP 00007ffda1ec0250 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffd21d92680 5 bytes JMP 00007ffda1ec0490 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffd21d92690 5 bytes JMP 00007ffda1ec04a0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffd21d926c0 5 bytes JMP 00007ffda1ec0300 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffd21d926d0 1 byte JMP 00007ffda1ec0360 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 2 00007ffd21d926d2 3 bytes {JMP 0xffffffff8012dc90} .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffd21d92730 5 bytes JMP 00007ffda1ec02a0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffd21d92780 5 bytes JMP 00007ffda1ec02c0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffd21d927b0 5 bytes JMP 00007ffda1ec0380 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffd21d927c0 5 bytes JMP 00007ffda1ec0340 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffd21d92ad0 5 bytes JMP 00007ffda1ec0440 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffd21d92cd0 1 byte JMP 00007ffda1ec0260 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder + 2 00007ffd21d92cd2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffd21d92ce0 1 byte JMP 00007ffda1ec0270 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions + 2 00007ffd21d92ce2 3 bytes {JMP 0xffffffff8012d590} .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffd21d92d00 5 bytes JMP 00007ffda1ec0400 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffd21d92ee0 5 bytes JMP 00007ffda1ec01f0 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffd21d92ef0 5 bytes JMP 00007ffda1ec0210 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffd21d92f80 5 bytes JMP 00007ffda1ec0200 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffd21d92ff0 5 bytes JMP 00007ffda1ec0420 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffd21d93000 5 bytes JMP 00007ffda1ec0430 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffd21d93010 5 bytes JMP 00007ffda1ec0220 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffd21d93120 2 bytes JMP 00007ffda1ec0280 .text C:\WINDOWS\system32\wbem\unsecapp.exe[5044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 3 00007ffd21d93123 2 bytes [12, 80] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__pctype_func] [6d0061006e0065] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___lc_codepage_func] [65006b00000065] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!isspace] [6c006100700065] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_CxxThrowException] [70006500760069] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@XZ] [690076006f0072] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!setlocale] [2e007200650064] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_onexit] [6c006c0064] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__CxxFrameHandler3] [5000010025006a] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_callnewh] [750064006f0072] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__uncaught_exception] [61004e00740063] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_unlock] [65006d] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_lock] [7200630069004d] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!?terminate@@YAXXZ] [66006f0073006f] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [57002000ae0074] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_errno] [6f0064006e0069] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___lc_handle_func] [2000ae00730077] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memcpy] [7200650070004f] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!malloc] [6e006900740061] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__crtLCMapStringW] [79005300200067] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!realloc] [6d006500740073] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!strchr] [f004200000000] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_initterm] [74006300750064] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_amsg_exit] [73007200650056] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!wctob] [6e006f0069] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__dllonexit] [2e0033002e0036] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_XcptFilter] [30003000360039] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memchr] [3300360031002e] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!strerror] [340038] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!calloc] [56000100000044] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!abort] [69004600720061] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!__crtCompareStringW] [6e00490065006c] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z] [6f0066] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___lc_collate_cp_func] [54000000040024] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!___mb_cur_max_func] [73006e00610072] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_wcsnicmp] [6900740061006c] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!tolower] [6e006f] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!wcstoul] [4b00409] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_vsnwprintf] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!swscanf] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_wcsicmp] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!_purecall] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0bad_cast@@QEAA@PEBD@Z] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??1bad_cast@@UEAA@XZ] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0bad_cast@@QEAA@AEBV0@@Z] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!wcschr] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??_V@YAXPEAX@Z] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!free] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memmove] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBD@Z] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??1exception@@UEAA@XZ] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!??3@YAXPEAX@Z] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!toupper] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[msvcrt.dll!memset] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!AppendUserLanguages] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47FromHkl] [1000000000000] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!GetUserLanguageInputMethods] [8000001800000010] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47FromLcid] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!AppendUserLanguageInputMethods] [1000000000000] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47IsWellFormed] [8000003000000001] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!LcidFromBcp47] [0] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!Bcp47GetNlsForm] [1000000000000] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[Bcp47Langs.dll!CompactTagFromBcp47Internal] [4800000409] IAT C:\WINDOWS\Explorer.EXE[948] @ C:\WINDOWS\SYSTEM32\globinputhost.dll[USER32.dll!GetKeyboardLayout] [450056005f0053] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [2332:8764] fffff96000942b90 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2724](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2724](2014-11-12 15:46:11) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2724] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2724](2014-11-12 15:46:11) 000000006e940000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD033A0_00_07DB_82^0C347888ABDF2AA846DFF8D24673327F@Timestamp 0xE8 0x48 0x5A 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -664857811 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3951 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3447 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 12498 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 423 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 977 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 4377 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 83 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 732 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 4613 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 495 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 5354 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 5380 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 11191 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 5376 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 11566 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 14391 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 29539 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 5360 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeSharedBufferTime 6 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 353 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 55 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 427886 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x80 0x4B 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 32545 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x66 0x3B 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 44 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberCompressRate 26 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 89 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 4515 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 8177 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 3774 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x03 0x31 0xCB 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\b8763fa34b64 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{815709E4-E0A4-4562-9A7A-4D98748B0CEA}@DefunctTimestamp 0x33 0x8B 0x8C 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\10-fe-ed-68-97-14@AddressCreationTimestamp 0x37 0x1C 0x9D 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\10-fe-ed-68-97-14@ClientLocalPort 62578 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\10-fe-ed-68-97-14@TeredoAddress 2001:0:5ef5:79fb:98:b8d:da1b:ec02 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1805 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 859 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{127A4FED-4F80-4C09-BDDD-327D7A72B41F}@LeaseObtainedTime 1418496820 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{127A4FED-4F80-4C09-BDDD-327D7A72B41F}@T1 1418500420 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{127A4FED-4F80-4C09-BDDD-327D7A72B41F}@T2 1418503120 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{127A4FED-4F80-4C09-BDDD-327D7A72B41F}@LeaseTerminatesTime 1418504020 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 ---- EOF - GMER 2.1 ----