GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-16 10:03:02 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f ST1000DM003-1ER162 rev.CC43 931,51GB Running: sj43qw22.exe; Driver: C:\Users\TOMASZ~1\AppData\Local\Temp\pwddapow.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\System32\smss.exe[356] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\csrss.exe[500] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\wininit.exe[580] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\csrss.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\services.exe[640] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\lsass.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\winlogon.exe[708] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[768] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[808] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\atiesrxx.exe[928] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\atiesrxx.exe[928] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\atiesrxx.exe[928] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\atiesrxx.exe[928] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\System32\svchost.exe[956] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[980] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\dwm.exe[1020] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[300] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\System32\svchost.exe[404] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\atieclxx.exe[688] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\atieclxx.exe[688] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\atieclxx.exe[688] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\atieclxx.exe[688] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\atieclxx.exe[688] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[1080] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\System32\spoolsv.exe[1380] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1824] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\dashost.exe[1880] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\svchost.exe[2808] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Windows\System32\WUDFHost.exe[2700] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\SearchIndexer.exe[3200] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\Explorer.EXE[4000] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\DllHost.exe[3380] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\taskhostex.exe[2232] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[3472] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\wbem\unsecapp.exe[4204] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\wbem\wmiprvse.exe[4908] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\taskeng.exe[5088] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 18 0000000000fb1950 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 137 0000000000fb19c7 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 202 0000000000fb1a08 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 310 0000000000fb1a74 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 572 0000000000fb1b7a 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 767 0000000000fb1c3d 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 788 0000000000fb1c52 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 800 0000000000fb1c5e 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 836 0000000000fb1c82 1 byte [FB] .text C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE[4172] C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE!wdGetApplicationObject + 920 0000000000fb1cd6 1 byte [FB] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffe6d1a915c 5 bytes [90, 33, C0, 90, C3] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffe66461f6a 4 bytes [46, 66, FE, 7F] .text C:\Program Files\AutoCAD 2010\acad.exe[3268] C:\windows\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffe66461f82 4 bytes [46, 66, FE, 7F] .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5036] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe[1148] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffe6d395b5c 5 bytes JMP 00007ffeed4f075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00007ffe6d398274 5 bytes JMP 00007ffeed4f03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffe6d3dae00 16 bytes [50, 48, B8, 2C, 35, CB, 54, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1840] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d3dac50 16 bytes [50, 48, B8, 08, B7, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffe6d3dadc0 16 bytes [50, 48, B8, 60, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 46 bytes {JMP 0xffffffff80125590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffe6d3dae20 21 bytes {PUSH RAX; MOV RAX, 0x7ff77bbeb72c; MOV [RSP], RAX; RET ; JMP 0xffffffff80125650} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffe6d3dae70 32 bytes [50, 48, B8, 84, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe6d3daeb0 16 bytes [50, 48, B8, 6C, B5, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe6d3daf50 16 bytes [50, 48, B8, B4, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe6d3db0d0 16 bytes [50, 48, B8, 30, B4, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffe6d3dbc70 16 bytes [50, 48, B8, 00, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 21 bytes JMP 00007ffeed500380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe6d3dbe10 16 bytes [50, 48, B8, C8, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4976] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d3dac50 16 bytes [50, 48, B8, 08, B7, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffe6d3dadc0 16 bytes [50, 48, B8, 60, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 46 bytes {JMP 0xffffffff80125590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffe6d3dae20 21 bytes {PUSH RAX; MOV RAX, 0x7ff77bbeb72c; MOV [RSP], RAX; RET ; JMP 0xffffffff80125650} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffe6d3dae70 32 bytes [50, 48, B8, 84, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe6d3daeb0 16 bytes [50, 48, B8, 6C, B5, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe6d3daf50 16 bytes [50, 48, B8, B4, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe6d3db0d0 16 bytes [50, 48, B8, 30, B4, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffe6d3dbc70 16 bytes [50, 48, B8, 00, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 21 bytes JMP 00007ffeed500380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe6d3dbe10 16 bytes [50, 48, B8, C8, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d3dac50 16 bytes [50, 48, B8, 08, B7, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffe6d3dadc0 16 bytes [50, 48, B8, 60, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 46 bytes {JMP 0xffffffff80125590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffe6d3dae20 21 bytes {PUSH RAX; MOV RAX, 0x7ff77bbeb72c; MOV [RSP], RAX; RET ; JMP 0xffffffff80125650} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffe6d3dae70 32 bytes [50, 48, B8, 84, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe6d3daeb0 16 bytes [50, 48, B8, 6C, B5, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe6d3daf50 16 bytes [50, 48, B8, B4, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe6d3db0d0 16 bytes [50, 48, B8, 30, B4, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffe6d3dbc70 16 bytes [50, 48, B8, 00, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 21 bytes JMP 00007ffeed500380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe6d3dbe10 16 bytes [50, 48, B8, C8, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\system32\AUDIODG.EXE[3740] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ffe6d395b5c 5 bytes JMP 00007ffeed4f075c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 00007ffe6d398274 5 bytes JMP 00007ffeed4f03a4 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d3dac50 16 bytes [50, 48, B8, 08, B7, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffe6d3dadc0 16 bytes [50, 48, B8, 60, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 48 bytes [50, 48, B8, DC, B5, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffe6d3dae20 16 bytes [50, 48, B8, 2C, B7, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffe6d3dae70 32 bytes [50, 48, B8, 84, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe6d3daeb0 16 bytes [50, 48, B8, 6C, B5, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe6d3daf50 16 bytes [50, 48, B8, B4, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe6d3db0d0 16 bytes [50, 48, B8, 30, B4, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffe6d3dbc70 16 bytes [50, 48, B8, 00, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 16 bytes [50, 48, B8, 3C, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe6d3dbe10 16 bytes [50, 48, B8, C8, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ffe6d3dac50 16 bytes [50, 48, B8, 08, B7, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00007ffe6d3dadc0 16 bytes [50, 48, B8, 60, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 46 bytes {JMP 0xffffffff80125590} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00007ffe6d3dae20 21 bytes {PUSH RAX; MOV RAX, 0x7ff77bbeb72c; MOV [RSP], RAX; RET ; JMP 0xffffffff80125650} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00007ffe6d3dae70 32 bytes [50, 48, B8, 84, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 00007ffe6d3daeb0 16 bytes [50, 48, B8, 6C, B5, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00007ffe6d3daf50 16 bytes [50, 48, B8, B4, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 00007ffe6d3db0d0 16 bytes [50, 48, B8, 30, B4, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00007ffe6d3dbc70 16 bytes [50, 48, B8, 00, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 21 bytes JMP 00007ffeed500380 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00007ffe6d3dbe10 16 bytes [50, 48, B8, C8, B6, BE, 7B, ...] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe6b23169a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe6b2316a2 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe6b23181a 4 bytes [23, 6B, FE, 7F] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe6b231832 4 bytes [23, 6B, FE, 7F] .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe6d3dac30 5 bytes JMP 00007ffeed500460 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe6d3dac80 5 bytes JMP 00007ffeed500450 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe6d3dade0 1 byte JMP 00007ffeed500370 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffe6d3dade2 3 bytes {JMP 0xffffffff80125590} .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe6d3dae30 5 bytes JMP 00007ffeed500470 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe6d3dae40 5 bytes JMP 00007ffeed5003e0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe6d3daef0 5 bytes JMP 00007ffeed500320 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe6d3daf20 1 byte JMP 00007ffeed5003b0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffe6d3daf22 3 bytes {JMP 0xffffffff80125490} .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe6d3daf40 5 bytes JMP 00007ffeed500390 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe6d3daf80 5 bytes JMP 00007ffeed5002e0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe6d3db000 5 bytes JMP 00007ffeed5002d0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe6d3db020 5 bytes JMP 00007ffeed500310 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe6d3db060 5 bytes JMP 00007ffeed5003c0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe6d3db0b0 5 bytes JMP 00007ffeed5003f0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe6d3db210 5 bytes JMP 00007ffeed500230 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe6d3db400 5 bytes JMP 00007ffeed500480 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe6d3db430 5 bytes JMP 00007ffeed5003a0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe6d3db550 5 bytes JMP 00007ffeed5002f0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe6d3db570 5 bytes JMP 00007ffeed500350 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe6d3db5e0 5 bytes JMP 00007ffeed500290 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe6d3db670 5 bytes JMP 00007ffeed5002b0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe6d3db690 5 bytes JMP 00007ffeed5003d0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe6d3db6a0 1 byte JMP 00007ffeed500330 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffe6d3db6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe6d3db750 5 bytes JMP 00007ffeed500410 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe6d3db780 5 bytes JMP 00007ffeed500240 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe6d3dbaa0 5 bytes JMP 00007ffeed5001e0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe6d3dbb60 5 bytes JMP 00007ffeed500250 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe6d3dbb90 5 bytes JMP 00007ffeed500490 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe6d3dbba0 5 bytes JMP 00007ffeed5004a0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe6d3dbbd0 5 bytes JMP 00007ffeed500300 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe6d3dbbe0 5 bytes JMP 00007ffeed500360 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe6d3dbc40 5 bytes JMP 00007ffeed5002a0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe6d3dbc90 5 bytes JMP 00007ffeed5002c0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe6d3dbcc0 5 bytes JMP 00007ffeed500380 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe6d3dbcd0 5 bytes JMP 00007ffeed500340 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe6d3dbfe0 5 bytes JMP 00007ffeed500440 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe6d3dc1e0 5 bytes JMP 00007ffeed500260 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe6d3dc1f0 5 bytes JMP 00007ffeed500270 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe6d3dc210 5 bytes JMP 00007ffeed500400 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe6d3dc3f0 5 bytes JMP 00007ffeed5001f0 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe6d3dc400 5 bytes JMP 00007ffeed500210 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe6d3dc490 5 bytes JMP 00007ffeed500200 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe6d3dc500 5 bytes JMP 00007ffeed500420 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe6d3dc510 5 bytes JMP 00007ffeed500430 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe6d3dc520 5 bytes JMP 00007ffeed500220 .text C:\windows\System32\svchost.exe[3504] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe6d3dc630 5 bytes JMP 00007ffeed500280 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3888] @ C:\windows\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffe3ad57f88] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] @ C:\windows\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffe3ad57f88] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2664] @ C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\pdf.dll[GDI32.dll!GetFontData] [7ffe3a64aeac] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] @ C:\windows\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffe3ad57f88] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1452] @ C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\pdf.dll[GDI32.dll!GetFontData] [7ffe3a64aeac] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] @ C:\windows\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffe3ad57f88] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3992] @ C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\pdf.dll[GDI32.dll!GetFontData] [7ffe3a64aeac] C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\chrome_child.dll ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [596:620] fffff96000878b90 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4888] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4940] 0000000068016d38 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4996] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4140] 0000000061def6f4 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4020] 0000000061def6f4 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4252] 0000000061def6f4 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4520] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4600] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4456] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4476] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:3344] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:3816] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:4604] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:3332] 0000000068018687 Thread C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [4048:368] 0000000068018687 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000068000000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 00000000626d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 00000000627f0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000062080000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000062030000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACECORE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000061d90000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\1045\ACEWSTR.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000061cb0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\ACEES.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000061c10000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\VBAJET32.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 000000006b8d0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\expsrv.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000061bb0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\WXPNSE.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE [4172] 0000000073ff0000 ---- EOF - GMER 2.1 ----