GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-14 15:17:20 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b ADATA_SP920SS rev.MU01 119,24GB Running: zcvjv2ne.exe; Driver: D:\Robocze\TEMP\kxldqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600013cc00 15 bytes [00, 8E, 0B, 02, 80, 32, 6E, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600013cc10 11 bytes [00, 41, FC, FF, C0, 7D, F9, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\smss.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\wininit.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\winlogon.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\services.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffea782169a 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffea78216a2 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffea782181a 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atiesrxx.exe[924] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffea7821832 4 bytes [82, A7, FE, 7F] .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffea782169a 4 bytes [82, A7, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffea78216a2 4 bytes [82, A7, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffea782181a 4 bytes [82, A7, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1428] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffea7821832 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Program Files\ASRock\XFast LAN\spd.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\dashost.exe[1760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\conhost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffea782169a 4 bytes [82, A7, FE, 7F] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffea78216a2 4 bytes [82, A7, FE, 7F] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffea782181a 4 bytes [82, A7, FE, 7F] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe[2108] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffea7821832 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\svchost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\WUDFHost.exe[3064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\svchost.exe[3456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\DllHost.exe[3296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\SearchIndexer.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffea782169a 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffea78216a2 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffea782181a 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffea7821832 4 bytes [82, A7, FE, 7F] .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\system32\WSOCK32.dll!setsockopt + 194 00007ffe9f031f6a 4 bytes [03, 9F, FE, 7F] .text C:\Windows\system32\atieclxx.exe[3688] C:\Windows\system32\WSOCK32.dll!setsockopt + 218 00007ffe9f031f82 4 bytes [03, 9F, FE, 7F] .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\taskhostex.exe[2488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\skydrive.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Program Files (x86)\Raptr\raptr_ep64.exe[4628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\SettingSyncHost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\system32\taskhost.exe[6304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffea913ac30 5 bytes JMP 00007fff29260460 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffea913ac80 5 bytes JMP 00007fff29260450 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffea913ade0 1 byte JMP 00007fff29260370 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffea913ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffea913ae30 5 bytes JMP 00007fff29260470 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffea913ae40 5 bytes JMP 00007fff292603e0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffea913aef0 5 bytes JMP 00007fff29260320 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffea913af20 1 byte JMP 00007fff292603b0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffea913af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffea913af40 5 bytes JMP 00007fff29260390 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffea913af80 5 bytes JMP 00007fff292602e0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffea913b000 5 bytes JMP 00007fff292602d0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffea913b020 5 bytes JMP 00007fff29260310 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffea913b060 5 bytes JMP 00007fff292603c0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffea913b0b0 5 bytes JMP 00007fff292603f0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffea913b210 5 bytes JMP 00007fff29260230 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffea913b400 5 bytes JMP 00007fff29260480 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffea913b430 5 bytes JMP 00007fff292603a0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffea913b550 5 bytes JMP 00007fff292602f0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffea913b570 5 bytes JMP 00007fff29260350 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffea913b5e0 5 bytes JMP 00007fff29260290 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffea913b670 5 bytes JMP 00007fff292602b0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffea913b690 5 bytes JMP 00007fff292603d0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffea913b6a0 1 byte JMP 00007fff29260330 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffea913b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffea913b750 5 bytes JMP 00007fff29260410 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffea913b780 5 bytes JMP 00007fff29260240 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffea913baa0 5 bytes JMP 00007fff292601e0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffea913bb60 5 bytes JMP 00007fff29260250 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffea913bb90 5 bytes JMP 00007fff29260490 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffea913bba0 5 bytes JMP 00007fff292604a0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffea913bbd0 5 bytes JMP 00007fff29260300 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffea913bbe0 5 bytes JMP 00007fff29260360 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffea913bc40 5 bytes JMP 00007fff292602a0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffea913bc90 5 bytes JMP 00007fff292602c0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffea913bcc0 5 bytes JMP 00007fff29260380 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffea913bcd0 5 bytes JMP 00007fff29260340 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffea913bfe0 5 bytes JMP 00007fff29260440 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffea913c1e0 5 bytes JMP 00007fff29260260 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffea913c1f0 5 bytes JMP 00007fff29260270 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffea913c210 5 bytes JMP 00007fff29260400 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffea913c3f0 5 bytes JMP 00007fff292601f0 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffea913c400 5 bytes JMP 00007fff29260210 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffea913c490 5 bytes JMP 00007fff29260200 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffea913c500 5 bytes JMP 00007fff29260420 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffea913c510 5 bytes JMP 00007fff29260430 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffea913c520 5 bytes JMP 00007fff29260220 .text C:\Windows\System32\alg.exe[9164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffea913c630 5 bytes JMP 00007fff29260280 .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\KERNEL32.DLL!RegLoadMUIStringW + 7 00007ffea705d1f3 8 bytes [60, 35, 29, 61, F6, 7F, 00, ...] .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\KERNEL32.DLL!RegOpenUserClassesRoot 00007ffea705d1fc 6 bytes {JMP QWORD [RIP-0xf]} .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\ADVAPI32.dll!RegLoadMUIStringA + 7 00007ffea788d66b 8 bytes [60, 35, 29, 61, F6, 7F, 00, ...] .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\ADVAPI32.dll!RegOpenUserClassesRoot 00007ffea788d674 6 bytes {JMP QWORD [RIP-0xf]} .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffea782169a 4 bytes [82, A7, FE, 7F] .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffea78216a2 4 bytes [82, A7, FE, 7F] .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffea782181a 4 bytes [82, A7, FE, 7F] .text C:\Program Files (x86)\VMware\VMware Workstation\x64\vmware-vmx.exe[6724] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffea7821832 4 bytes [82, A7, FE, 7F] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [624:8100] fffff960008e3b90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----